Hey Everyone, Our webstore is currently running on 2019.1 recently found an article in Suiteanswers regarding a vulnerability CVE-2020-14728. The article talks about overriding code in servicecontroller.js but when I do this it breaks the error messages Original Code:

var content = {
errorStatusCode: parseInt(status,10).toString()
, errorCode: code
, errorMessage: message
}

Suggested code in the article:

var content = {
   errorStatusCode: parseInt(status, 10).toString(),
   errorCode: code,
   errorMessage: _.escape(message)
};

Does anybody have idea on what is this vulnerability and how this code addresses it? and why the error messages are breaking ? Thanks in Advance. We also raised a support case on this support case number 3930593 .

We looked at the patch - the code to be replaced uses “const” instead of var. The ns,package json didn’t include SuiteScript files as per the example. We applied the patch, the override was successful accodring to terminal, but unable to deploy because of a ts error.

I cannot give an official position on this as I've yet to receive word back from the developers, but my understanding is that the instructions given for ns.package.json are incorrect (thanks to Kerrie for pointing that out).

yep - got that part - its the ts error that remains - any news on that? I may need to add to that case

I don't, personally, see a reason for using

const

over

var

. And no, I've not heard anything about the TS thing

ok - I think keep const to match the original is what I think we will do.

Hi @Steve Goldberg @kkennedydesign Thanks for your views I replaced the code in ns.package.json as mentioned above. I still see the error messaging break

surprised you actually got it to deploy

Curious, should those variable declared as 'var' since the ServiceController.js is written in 1.0? or are you writing an extension with SS2.0?

this is an override of a core NS file that includes const

@Durgasree the error message breaks because in ServiceController.js the replaced code contains _.escape for the message

@Paper Plane Netsuite Group Thanks for the input. I thought so too but support rep said he was not able to replicate the issue with "base theme" and this issue is replicated only through "custom theme". Our custom theme is of 18.2 version and SSP is of 19.1 version I'm thinking if that could be reason too. Also, this _.escape method is what was recommended to address the vulnerability

To fix the error message showing HTML instead of a link try the following: 1.Go to Backbone.FormView a. Add a method call transformResponseText.

transformResponseText: function(response) {},

b. Go to the method saveForm. Go to the line where the error response of the model.save is processed, below the if condition add this line 

self.transformResponseText(response).

It should look like this:

if (response.responseText) {
self.transformResponseText(response);
// code

} 2. For the issue showing up on the screenshot you attached the fix is to go to the LoginRegister.Login.View and add this method:

transformResponseText: function(response) {
response.responseText = _.unescape(response.responseText);
}

If this issue shows up in another page, you will need to go the View that calls the method saveForm that shows the HTML error and add this method:

transformResponseText: function(response) {
response.responseText = _.unescape(response.responseText);
}