Security Bulletin SC2020-003-435698

  • This article reports a High severity vulnerability (SC2020-003-435698) in Sitecore JSS React Sample Application, for which there is a fix available. 

    This vulnerability may cause page content intended for one user to be shown to another user.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all impacted Sitecore systems. We also recommend that customers maintain their environments on security-supported versions and apply all available security fixes without delay.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: https://kb.sitecore.net/articles/608800
  • Versions affected

    Vulnerability SC2020-003-435698 affects all versions of Sitecore JSS React Sample Application starting from JSS 11.0.0 and up to (and including) JSS 14.0.1.

    Versions not affected

    Current vulnerability does not affect versions of Sitecore JSS React Sample Application lower than JSS 11 and higher than JSS 14.

    Current vulnerability does not affect Sitecore web sites that are not using the Sitecore JSS framework.

    Current vulnerability does not affect Sitecore web sites that are using the Sitecore JSS framework which have been implemented in React without using code from the Sitecore JSS React Sample Application.

    Current vulnerability does not affect Sitecore web sites that are using the Sitecore JSS framework which have been implemented in frameworks other than React (e.g. Angular, Vue).

  • New versions of the JSS React Sample Application have been released for JSS which resolve the issue. However, as the issue is in sample code that is intended to be extended/customized, you will need to adapt the changes to your solution.

    JSS v11.0.4

    Updated Sample
    Required Changes

    JSS v12.0.2

    Updated Sample
    Required Changes

    JSS 13.2.2

    Updated Sample
    Required Changes

    JSS 14.0.2

    Updated Sample
    Required Changes

    Fix Verification 

    As the fix for the issue is in sample code and not a Sitecore distributive, the recommended way to validate successful implementation of the fix is by ensuring that global variables or singletons are not used to store page state in your application’s server-side JavaScript code. Global variables would include any defined outside the context of a class or function (example). Singletons would include use of "export default new" (example).

Applies to:

JSS 11 - 14

JSS 11.0.4, 12.0.2, 13.2.2, 14.0.2

September 29, 2020
September 30, 2020

Reference number:

435698

Keywords: 

  • JSS,
  • Security Vulnerabilities