CVE-2024-29376

Name of the Vulnerable Software and Affected Versions Sylius versions 1.12.13 through 1.12.15 Sylius versions prior to 1.13.1

Description The issue is related to Cross Site Scripting (XSS) via the "Province" field in Address Book. There is a possibility to save XSS code in the province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

Recommendations For Sylius versions 1.12.13 through 1.12.15, update to version 1.12.16 or later. For Sylius versions prior to 1.13.1, update to version 1.13.1 or later. As a temporary workaround, consider adding a custom JavaScript file assets/shop/sylius-province-field.js to sanitize the input in the province field, and then rebuild your assets using yarn build.