An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.
References
Link | Resource |
---|---|
https://launchpad.support.sap.com/#/notes/2773493 | Permissions Required Vendor Advisory |
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2019-06-12 15:29
Updated : 2024-02-28 17:08
NVD link : CVE-2019-0308
Mitre link : CVE-2019-0308
CVE.ORG link : CVE-2019-0308
JSON object : View
Products Affected
sap
- e-commerce
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')