Mpysiak

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.12.16 and 1.13.1 **Description** There is a possibility to execute javascript code in the Admin panel. To perform an XSS attack, input a script into the `Name` field in which of the resources: Taxons, Products, Product Options, or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also, for the taxons in the category tree on the product form. **Recommendations** For versions prior to 1.12.16 and 1.13.1, apply the following workarounds: 1. Create new file `assets/admin/sylius-lazy-choice-tree.js` with the provided JavaScript code to sanitize input. 2. Create new file `assets/admin/sylius-auto-complete.js` with the provided JavaScript code to sanitize input. 3. Create new file `assets/admin/sylius-product-auto-complete.js` with the provided JavaScript code to sanitize input. 4. Add new imports in `assets/admin/entry.js` for the created files. 5. Rebuild assets using `yarn build`. At the moment, there is no information about a newer version that contains a fix for this vulnerability.