A note with CVSS 9.3 for component CEC-COM-CPS was released by SAP on 14.04.2020. The correction/advisory 2904480 was described with "[CVE-2020-6238] Missing XML Validation vulnerability in SAP Commerce" and affects the system type SAP Commerce Cloud.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is external entity tunneling (xxe) within SAP Commerce Cloud.
Risk specificationSAP Commerce does not sufficiently validate an XML document which affects confidentiality and availability (partially) of SAP Commerce.
SAP Commerce has been updated to correctly validate XML input
- 9.6 [CVE-2020-26831] Missing XML Validation in SAP BusinessObjects Business Intelligence Platform (Crystal Report)
- 7.7 [CVE-2020-6285] Information Disclosure in SAP NetWeaver (XMLToolkit for Java)
- 7.6 [CVE-2020-6366] Missing XML Validation in SAP NetWeaver (Compare Systems)
- 7.1 [CVE-2019-0396] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 6.5 Update 1 to Security Note 2736825 - [CVE-2019-0271] Denial of Service via XML External Entity (XXE) vulnerability in ABAP Server