{"id":14338,"date":"2018-12-13T11:19:07","date_gmt":"2018-12-13T10:19:07","guid":{"rendered":"\/?p=14338"},"modified":"2019-03-11T11:20:54","modified_gmt":"2019-03-11T10:20:54","slug":"sap-hybris-commerce","status":"publish","type":"post","link":"\/de\/security-alert\/sap-hybris-commerce\/","title":{"rendered":"SAP Hybris Commerce"},"content":{"rendered":"<p>Original date: 13.12.2018<br \/>\nOverall risk classification: <span class=\"badge badge-danger\">HIGH<\/span><\/p>\n<h3>Overview<\/h3>\n<p>A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided [1].<\/p>\n<h3>Systems Affected<\/h3>\n<ul>\n<li>Version 6.2 to 6.7<\/li>\n<li>Version 18.08<\/li>\n<\/ul>\n<p>This vulnerability affects all SAP Hybris Commerce storefronts that are based on a vulnerable version of SAP Hybris Commerce and that integrate SmartEdit.<br \/>\nEven patched versions can still be vulnerable when pages still include a vulnerable version of webApplicationInjector.js.<\/p>\n<h3>Threat<\/h3>\n<p><strong>Risk<\/strong>: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nAn attacker could exploit this XSS vulnerability to execute arbitrary JavaScript code in the browser of other users.<br \/>\nThis could be exploited to display fake login screens with the goal of stealing credentials or to impersonate users and perform actions with the permissions of these affected users.<br \/>\n<strong>Exploitability<\/strong>: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nNo further details are provided.<br \/>\n<strong>Priority<\/strong> (for affected, internet-exposed systems): <span class=\"badge badge-danger\">HIGH<\/span><br \/>\n<strong>Priority<\/strong> (for internal systems): <span class=\"badge badge-danger\">HIGH<\/span><\/p>\n<h3>Mitigation<\/h3>\n<p>Upgrade to the latest patch release. Note that after the update additional manual steps are necessary to install the fix in all your storefronts that integrate SmartEdit. Details can be found here [1].<br \/>\nIf your system is affected and upgrading is not possible, remove the webApplicationInjector.js from your storefront [1].<\/p>\n<h3>Author<\/h3>\n<p>Martin Sch\u00f6ne<\/p>\n<h3>References<\/h3>\n<p>[1] https:\/\/launchpad.support.sap.com\/#\/notes\/2711425 (SAP account required)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided.<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SAP Hybris Commerce - sectest.team<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"\/security-alert\/sap-hybris-commerce\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP Hybris Commerce\" \/>\n<meta property=\"og:description\" content=\"A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided.\" \/>\n<meta property=\"og:url\" content=\"\/security-alert\/sap-hybris-commerce\/\" \/>\n<meta property=\"og:site_name\" content=\"sectest.team\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-13T10:19:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-03-11T10:20:54+00:00\" \/>\n<meta name=\"author\" content=\"Tuyen Nguyen\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tuyen Nguyen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"1\u00a0Minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"\/security-alert\/sap-hybris-commerce\/\",\"url\":\"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/\",\"name\":\"[:en]SAP Hybris Commerce[:] - sectest.team\",\"isPartOf\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#website\"},\"datePublished\":\"2018-12-13T10:19:07+00:00\",\"dateModified\":\"2019-03-11T10:20:54+00:00\",\"author\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\"},\"breadcrumb\":{\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP Hybris Commerce\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sectest.hostpress.me\/#website\",\"url\":\"https:\/\/sectest.hostpress.me\/\",\"name\":\"sectest.team\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sectest.hostpress.me\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\",\"name\":\"Tuyen Nguyen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"caption\":\"Tuyen Nguyen\"},\"url\":\"\/de\/security-alert\/author\/tutnguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SAP Hybris Commerce - sectest.team","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/","og_locale":"de_DE","og_type":"article","og_title":"[:en]SAP Hybris Commerce[:] - sectest.team","og_description":"[:en]A Cross-Site-Scripting vulnerability in SAP Hybris Commerce was announced and patches were provided.[:]","og_url":"\/security-alert\/sap-hybris-commerce\/","og_site_name":"sectest.team","article_published_time":"2018-12-13T10:19:07+00:00","article_modified_time":"2019-03-11T10:20:54+00:00","author":"Tuyen Nguyen","twitter_misc":{"Verfasst von":"Tuyen Nguyen","Gesch\u00e4tzte Lesezeit":"1\u00a0Minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"\/security-alert\/sap-hybris-commerce\/","url":"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/","name":"[:en]SAP Hybris Commerce[:] - sectest.team","isPartOf":{"@id":"https:\/\/sectest.hostpress.me\/#website"},"datePublished":"2018-12-13T10:19:07+00:00","dateModified":"2019-03-11T10:20:54+00:00","author":{"@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28"},"breadcrumb":{"@id":"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sectest.hostpress.me\/security-alert\/sap-hybris-commerce\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"\/de\/"},{"@type":"ListItem","position":2,"name":"SAP Hybris Commerce"}]},{"@type":"WebSite","@id":"https:\/\/sectest.hostpress.me\/#website","url":"https:\/\/sectest.hostpress.me\/","name":"sectest.team","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sectest.hostpress.me\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"},{"@type":"Person","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28","name":"Tuyen Nguyen","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","caption":"Tuyen Nguyen"},"url":"\/de\/security-alert\/author\/tutnguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14338"}],"collection":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/comments?post=14338"}],"version-history":[{"count":1,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14338\/revisions"}],"predecessor-version":[{"id":14339,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14338\/revisions\/14339"}],"wp:attachment":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/media?parent=14338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/categories?post=14338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/tags?post=14338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}