#################################################################################################### # # COMPASS SECURITY ADVISORY https://www.compass-security.com #################################################################################################### # # CVE ID: CVE-2016-6856, CVE-2016-6857, CVE-2016-6858 # Product: SAP Hybris [1] # Vendor: SAP [2] # Subject: Multiple XSS Vulnerabilities in the Hybris Management Console (HMC) # Risk: High # Effect: Exploitable by Authenticated Hybris Users # Author: Damian Pfammatter (advisories@compass-security.ch) # Date: October 28th 2016 # #################################################################################################### Introduction: ------------- SAP Hybris is an enterprise-grade multichannel e-commerce and product content management (PCM) software [1], developed by Hybris - a German subdivision of the SAP AG [2]. Damian Pfammatter of Compass Security Schweiz AG [3] discovered both stored (CVE-2016-6857, CVE-2016-6858) and reflected (CVE-2016-6856) Cross-Site Scripting (XSS) vulnerabilities in the Hybris Management Console (HMC), which allow executing JavaScript code in a victim's context, potentially resulting in a number of different attack scenarios. Affected Versions: ------------------ See Technical Description below. Hotfix: ------- See Technical Description below. Technical Description: ---------------------- CVE-2016-6856: Reflected XSS Vulnerability in the HMC - "Inbox Search" Functionality Users in HMC typically have access to a personal inbox. The functionality to search within these inboxes is vulnerable to reflected XSS attacks. More specifically, the "itemsperpage" parameter is affected. Affected Version: 5.6 Fixed Version: 6.0 CVE-2016-6857: Stored XSS Vulnerability in the HMC - "Create Catalogue" Functionality Authenticated users in the HMC, having permissions to create new catalogues, may place malicious JavaScript code into a catalogue's "ID" field. Once such a catalogue is accessed using the Catalogue Browser of HMC, the injected code is executed in the context of the user viewing the item. The vulnerability arises due to improper output encoding of the IDs in the Catalogue Browser of HMC. Affected Version: 5.6 Fixed Versions: 5.2.0.13, 5.3.0.11, 5.4.0.11, 5.5.0.10, 5.5.1.11, 5.6.0.11, 5.7.0.15, 6.0 CVE-2016-6858: Stored XSS Vulnerability in the HMC - "Create Employee" Functionality Authenticated users in the HMC, having permissions to create new employees, may place malicious JavaScript code into an employee's "Name" field. Once this newly created employee logs in, the injected code is executed. The vulnerability arises due to improper output encoding of employee names during the login process. Affected Version: 5.6 Fixed Versions: 5.0.4.11, 5.1.0.11, 5.1.1.12, 5.2.0.X, 5.3.0.10, 5.4.0.9, 5.5.0.9, 5.5.1.10, 5.6.0.8, 5.7.0.9, 6.0 Timeline: --------- 2016-03-15: Vulnerability discovered 2016-04-04: Initial vendor notification 2016-05-20: Vendor confirmed security issue 2016-06-14: Vendor released security fix & guidance to its customers 2016-09-14: Vendor informed about public advisory 2016-09-27: Vendor provided detailed version information and requested extension before disclosure 2016-10-28: Public disclosure References: ----------- [1]: https://www.hybris.com [2]: http://go.sap.com [3]: https://www.compass-security.com/research/advisories/ [4]: http://scn.sap.com/docs/DOC-55451