CVE-2020-6200: 
SAP Commerce Cloud vulnerability analysis and mitigation

The SAP Commerce (SmartEdit Extension), versions 6.6, 6.7, 1808, and 1811, was identified with a client-side AngularJS template injection vulnerability, which is a variant of Cross-Site-Scripting (XSS). This vulnerability (CVE-2020-6200) was discovered in early 2020 and specifically targets the templating facilities of the Angular framework (NVD, CVE).

The vulnerability is classified with a CVSS v3 Base Score of 5.4 (Medium), with an Impact Score of 2.7 and Exploitability Score of 2.3. The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Changed (S:C), with Low impact on both Confidentiality (C:L) and Integrity (I:L), while having No impact on Availability (A:N) (AttackerKB).

The vulnerability affects the confidentiality and integrity of the system with low severity, potentially allowing attackers to inject malicious templates through the Angular framework's templating facilities. This could lead to unauthorized access to sensitive information and potential manipulation of client-side data (NVD).

SAP has released security patches to address this vulnerability. Users are advised to update their SAP Commerce (SmartEdit Extension) to versions newer than those affected (6.6, 6.7, 1808, 1811) (SAP Note).