CVE-2022-24749

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.10 Sylius versions prior to 1.10.11 Sylius versions prior to 1.11.2

Description The issue allows uploading an SVG file containing cross-site scripting (XSS) code in the admin panel. To perform an XSS attack, the file itself has to be opened in a new card or loaded outside of the IMG tag. This problem applies to both files opened on the admin panel and shop pages.

Recommendations For versions prior to 1.9.10, update to version 1.9.10 or later. For versions prior to 1.10.11, update to version 1.10.11 or later. For versions prior to 1.11.2, update to version 1.11.2 or later. As a temporary workaround, consider requiring a library that adds on-upload file sanitization, such as enshrined/svg-sanitize, and overwriting the service before writing the file to the filesystem by using the provided ImageUploader class. Register the service in the container using the provided YAML configuration.