SAP Notes SAP Security Patch Day

2 vulnerabilities in open source libraries used in SAP Commerce: jQuery before 3.4.0, CKEditor before 4.14

Leave a Comment on 2 vulnerabilities in open source libraries used in SAP Commerce: jQuery before 3.4.0, CKEditor before 4.14

See SAP Note 2948317 – Vulnerabilities in open source libraries used in SAP Commerce:

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution where unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Related Post

SAP S/4HANA 1909: release restrictions

SAP Note 2887651 – Issues with SameSite cookie handling

The peer’s X.509 Certificate (chain) is untrusted

SAP Note 1801618 – Performance tuning guidelines for SAP NetWeaver Gateway

SAP Workflow Diagnostics and tcode SWUD

Possible Persistence Inconsistencies With SAP HANA 2 SPS04 Revisions 040.00 to 042.00

Leave a Comment

Your email address will not be published. Required fields are marked *

Click here to draw a picture to include in your comment.