Security fixes

The following WebSphere Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.

To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.

Important: For up-to-date bulletins, subscribe to the following services:

Vulnerabilities addressed in WebSphere Commerce 8.0.4.29

Affected software CVE(s) Vulnerability
jackson-databind, Spring Framework WS-2021-0616, CVE-2021-22096 Multiple vulnerabilities in open source components affect HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.28

Affected software CVE(s) Vulnerability
CKeditor CVE-2021-26272 Vulnerability in CKeditor affects HCL Commerce
WebSphere Commerce CVE-2021-4104 Vulnerability in Apache Log4j 1.2 affects HCL Commerce
WebSphere Commerce CVE-2021-27751 HCL Commerce is affected by Insufficient Session Expiration vulnerability

Vulnerabilities addressed in WebSphere Commerce 8.0.4.27

Affected software CVE(s) Vulnerability
WebSphere Commerce CVE-2021-27750 Session termination vulnerability in HCL Commerce
WebSphere Commerce CVE-2021-27741 XML external entity (XXE) injection vulnerability in HCL Commerce
WebSphere Application Server CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce
Apache PDFBox CVE-2021-31811, CVE-2021-31812 Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.26

Affected software CVE(s) Vulnerability
XMLBeans CVE-2021-23926 Vulnerability in XMLBeans affects HCL Commerce
Jackson Databind CVE-2020-25649 Vulnerability in Jackson Databind affects HCL Commerce
CKEditor CVE-2020-9281, CVE-2018-17960 Cross-site scripting (XSS) vulnerabilities in CKEditor shipped with HCL Commerce
Apache Tika CVE-2016-4434, CVE-2018-11761, CVE-2018-11796 Multiple vulnerabilities in Apache POI and Apache Tika affects HCL Commerce
Apache POI CVE-2017-12626, CVE-2014-9527, CVE-2017-12626, WS-2016-7061, WS-2016-7061, WS-2016-7061 Multiple vulnerabilities in Apache POI and Apache Tika affects HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.18

Affected software CVE(s) Vulnerability
WebSphere Commerce CVE-2018-1541, CVE-2018-1807 CVE-2018-1541, CVE-2018-1807

Vulnerabilities addressed in WebSphere Commerce 8.0.4.17

Affected software CVE
WebSphere Commerce CVE-2018-1811

Vulnerabilities addressed in WebSphere Commerce 8.0.4.16

Affected software CVE
WebSphere Commerce CVE-2018-1739

Vulnerabilities addressed in WebSphere Commerce 8.0.4.15

Affected software CVE
WebSphere Commerce CVE-2018-1644

Vulnerabilities addressed in WebSphere Commerce 8.0.4.9

Affected software CVE
WebSphere Commerce CVE-2017-1484

Vulnerabilities addressed in WebSphere Commerce 8.0.4.6

Affected software CVE
WebSphere Commerce CVE-2017-1569