CVE-2019-12186

Name of the Vulnerable Software and Affected Versions sylius/sylius versions 1.0.x through 1.0.18 sylius/sylius versions 1.1.x through 1.1.17 sylius/sylius versions 1.2.x through 1.2.16 sylius/sylius versions 1.3.x through 1.3.11 sylius/sylius versions 1.4.x through 1.4.3 sylius/grid versions 1.0.x through 1.0.18 sylius/grid versions 1.1.x through 1.1.18 sylius/grid versions 1.2.x through 1.2.17 sylius/grid versions 1.3.x through 1.3.12 sylius/grid versions 1.4.x through 1.4.4 sylius/grid version 1.5.0

Description The issue is related to missing input sanitization, allowing an attacker to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. This occurs when the contents are an object, with malicious code returned by the toString() method of that object. The grid component omits HTML input sanitization while rendering an object implementing the toString() method through the string field type.

Recommendations For sylius/sylius versions 1.0.x through 1.0.18, update to a version outside of this range to mitigate the risk. For sylius/sylius versions 1.1.x through 1.1.17, update to a version outside of this range to mitigate the risk. For sylius/sylius versions 1.2.x through 1.2.16, update to a version outside of this range to mitigate the risk. For sylius/sylius versions 1.3.x through 1.3.11, update to a version outside of this range to mitigate the risk. For sylius/sylius versions 1.4.x through 1.4.3, update to a version outside of this range to mitigate the risk. For sylius/grid versions 1.0.x through 1.0.18, update to a version outside of this range to mitigate the risk. For sylius/grid versions 1.1.x through 1.1.18, update to a version outside of this range to mitigate the risk. For sylius/grid versions 1.2.x through 1.2.17, update to a version outside of this range to mitigate the risk. For sylius/grid versions 1.3.x through 1.3.12, update to a version outside of this range to mitigate the risk. For sylius/grid versions 1.4.x through 1.4.4, update to a version outside of this range to mitigate the risk. For sylius/grid version 1.5.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider disabling the toString() method in objects displayed in grids with the "string" field type until a patch is available. Restrict access to the grid component to minimize the risk of exploitation. Avoid using the string field type in grids until the issue is resolved.