Security Alert
SAP Hybris Commerce
Original date: 13.12.2018
Overall risk classification: HIGH
Overview
A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided [1].
Systems Affected
- Version 6.2 to 6.7
- Version 18.08
This vulnerability affects all SAP Hybris Commerce storefronts that are based on a vulnerable version of SAP Hybris Commerce and that integrate SmartEdit.
Even patched versions can still be vulnerable when pages still include a vulnerable version of webApplicationInjector.js.
Threat
Risk: HIGH
An attacker could exploit this XSS vulnerability to execute arbitrary JavaScript code in the browser of other users.
This could be exploited to display fake login screens with the goal of stealing credentials or to impersonate users and perform actions with the permissions of these affected users.
Exploitability: HIGH
No further details are provided.
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): HIGH
Mitigation
Upgrade to the latest patch release. Note that after the update additional manual steps are necessary to install the fix in all your storefronts that integrate SmartEdit. Details can be found here [1].
If your system is affected and upgrading is not possible, remove the webApplicationInjector.js from your storefront [1].
Author
Martin Schöne
References
[1] https://launchpad.support.sap.com/#/notes/2711425 (SAP account required)
