SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2965287
was released on
13.10.2020 and deals with
"[CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud" within SAP Commerce Cloud.
We advice you to follow the instructions, to resolve
insufficient security function
low potential for exploitation
in component CEC-COM-CPS.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationSAP Commerce Cloud does not invalidate active sessions after the user has changed their own passphrase.
SAP Commerce Cloud has been updated to activate session invalidation after passphrase change.