Lchrusciel

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.9.10 Sylius versions prior to 1.10.11 Sylius versions prior to 1.11.2 **Description** The issue allows a page controlled by an attacker to load the website within an iframe, enabling a clickjacking attack. This attack overlays the target application's interface with a different interface provided by the attacker. **Recommendations** For versions prior to 1.9.10, update to version 1.9.10 or later. For versions prior to 1.10.11, update to version 1.10.11 or later. For versions prior to 1.11.2, update to version 1.11.2 or later. As a temporary workaround, consider setting the X-Frame-Options header to `sameorigin` for every response from the app by adding a new subscriber.

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 **Description** The issue allows any other user to view the data if the browser tab remains open after logging out. This can lead to a data leak, such as customer details or payment gateway configuration, if these pages were previously accessed by the administrator. The vulnerability requires full access to the computer to take advantage of it. **Recommendations** For versions prior to 1.9.10, 1.10.11, and 1.11.2, update to version 1.9.10, 1.10.11, or 1.11.2 to fix the issue. As a temporary workaround, consider implementing a strict redirect to the login page even when the browser back button is pressed. Another possibility is to set more strict cache policies for restricted content, such as 'no-store', by using a custom CacheControlSubscriber class.

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.10.11 and 1.11.2 **Description** The reset password token was not set to null after the password was changed, allowing the same token to be used several times. This could result in a leak of the existing token and unauthorized password change. **Recommendations** For versions prior to 1.10.11 and 1.11.2, update to version 1.10.11 or 1.11.2 to fix the issue. As a temporary workaround, overwrite the `SyliusBundleApiBundleCommandHandlerResetPasswordHandler` class with the provided code and register it in a container.

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.9.10 Sylius versions prior to 1.10.11 Sylius versions prior to 1.11.2 **Description** The issue allows uploading an SVG file containing cross-site scripting (XSS) code in the admin panel. To perform an XSS attack, the file itself has to be opened in a new card or loaded outside of the IMG tag. This problem applies to both files opened on the admin panel and shop pages. **Recommendations** For versions prior to 1.9.10, update to version 1.9.10 or later. For versions prior to 1.10.11, update to version 1.10.11 or later. For versions prior to 1.11.2, update to version 1.11.2 or later. As a temporary workaround, consider requiring a library that adds on-upload file sanitization, such as `enshrined/svg-sanitize`, and overwriting the service before writing the file to the filesystem by using the provided `ImageUploader` class. Register the service in the container using the provided YAML configuration.

**Name of the Vulnerable Software and Affected Versions** SyliusGridBundle versions prior to 1.10.1 and 1.11-rc2 **Description** The issue is related to the SyliusGridBundle package for Symfony applications, where values added at the end of query sorting were passed directly to the database. This could potentially lead to SQL injections, although the maintainers are unsure if it could result in direct SQL injections. The vulnerability allows a remote attacker to execute arbitrary SQL queries. **Recommendations** For versions prior to 1.10.1 and 1.11-rc2, overwrite the `SyliusComponentGridSortingSorter.php` class and register it in the container as a temporary workaround. The updated class should include input validation to prevent potential SQL injections. To implement the workaround, create a new `Sorter.php` class in the `src/App/Sorting` directory with the following content: ```php <?php // src/App/Sorting/Sorter.php declare(strict types=1); namespace AppSorting; use SymfonyComponentHttpKernelExceptionBadRequestHttpException; use SyliusComponentGridDataDataSourceInterface; use SyliusComponentGridDefinitionGrid; use SyliusComponentGridParameters; use SyliusComponentGridSortingSorterInterface; final class Sorter implements SorterInterface { public function sort(DataSourceInterface $dataSource, Grid $grid, Parameters $parameters): void { $enabledFields = $grid->getFields(); $expressionBuilder = $dataSource->getExpressionBuilder(); $sorting = $parameters->get('sorting', $grid->getSorting()); $this->validateSortingParams($sorting, $enabledFields); foreach ($sorting as $field => $order) { $this->validateFieldNames($field, $enabledFields); $gridField = $grid->getField($field); $property = $gridField->getSortable(); if (null !== $property) { $expressionBuilder->addOrderBy($property, $order); } } } private function validateSortingParams(array $sorting, array $enabledFields): void { foreach (array keys($enabledFields) as $key) { if (array key exists($key, $sorting) && !in array($sorting[$key],['asc','desc'])) { throw new BadRequestHttpException(sprintf('%s is not valid, use asc or desc instead.', $sorting[$key])); } } } private function validateFieldNames(string $fieldName, array $enabledFields): void { $enabledFieldsNames = array keys($enabledFields); if (!in array($fieldName, $enabledFieldsNames, true)) { throw new BadRequestHttpException(sprintf('%s is not valid field, did you mean one of these: %s?', $fieldName, implode(',', $enabledFieldsNames))); } } } ``` Then, register the new `Sorter` class in the `config/services.yaml` file: ```yaml # config/services.yaml services: # ... sylius.grid.sorter: class: AppSortingSorter ```