CVE-2024-41735 – SAP Commerce Backoffice has a cross-site script... (How to Fix)

Q: What is the severity of CVE-2024-41735?

CVE-2024-41735 has a CVSS score of 5.4 (MEDIUM). SAP Commerce Backoffice has a cross-site scripting (XSS) vulnerability where insufficient input encoding allows attackers to inject malicious scripts. This affects administrators and users accessing the Backoffice interface. The vulnerability has low impact on confidentiality and integrity according to SAP's assessment.

📋 TL;DR

SAP Commerce Backoffice has a cross-site scripting (XSS) vulnerability where insufficient input encoding allows attackers to inject malicious scripts. This affects administrators and users accessing the Backoffice interface. The vulnerability has low impact on confidentiality and integrity according to SAP's assessment.

💻 Affected Systems

Products:

SAP Commerce Backoffice

Versions: Specific versions not detailed in CVE; check SAP Note 3483256 for exact affected versions

Operating Systems: All platforms running SAP Commerce

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SAP Commerce Backoffice component; requires user interaction to exploit

📦 What is this software?

Commerce Backoffice by Sap

View all CVEs affecting Commerce Backoffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts that execute in victims' browsers, potentially stealing session data or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be prevented entirely.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity but require user interaction

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check SAP Note 3483256 for specific patch versions

Vendor Advisory: https://me.sap.com/notes/3483256

Restart Required: Yes

Instructions:

1. Review SAP Note 3483256 for affected versions and patches. 2. Apply the security patch from SAP. 3. Restart SAP Commerce services. 4. Verify the fix by testing input validation.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding in custom Backoffice extensions

Implement proper HTML encoding for all user-controlled inputs in Backoffice UI components

Content Security Policy

all

Implement Content Security Policy headers to restrict script execution

Add CSP headers to restrict inline scripts and external sources

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block XSS payloads
Restrict access to Backoffice interface to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Test user-controlled input fields in Backoffice for proper HTML encoding by attempting to inject basic XSS payloads

Check Version:

Check SAP Commerce version through administration console or review system properties

Verify Fix Applied:

After patching, retest the same input fields to confirm XSS payloads are properly encoded and do not execute

📡 Detection & Monitoring

Log Indicators:

Unusual input patterns containing script tags or JavaScript in Backoffice logs
Multiple failed login attempts followed by suspicious input

Network Indicators:

HTTP requests containing script tags or JavaScript payloads to Backoffice endpoints

SIEM Query:

source="sap_commerce_logs" AND (message="<script" OR message="javascript:" OR message="onerror=" OR message="onload=")

📊 Metadata

CVE ID: CVE-2024-41735

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 13, 2024

Last Updated: September 12, 2024

🔗 References

https://me.sap.com/notes/3483256 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41735, you might also want to check these: