PT-2024-25805 · Sylius · Sylius
Mpysiak
·
Published
2024-05-10
·
Updated
2024-07-08
·
CVE-2024-34349
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Sylius versions prior to 1.12.16 and 1.13.1
Description
There is a possibility to execute javascript code in the Admin panel. To perform an XSS attack, input a script into the
Name field in which of the resources: Taxons, Products, Product Options, or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also, for the taxons in the category tree on the product form.Recommendations
For versions prior to 1.12.16 and 1.13.1, apply the following workarounds:
- Create new file
assets/admin/sylius-lazy-choice-tree.jswith the provided JavaScript code to sanitize input. - Create new file
assets/admin/sylius-auto-complete.jswith the provided JavaScript code to sanitize input. - Create new file
assets/admin/sylius-product-auto-complete.jswith the provided JavaScript code to sanitize input. - Add new imports in
assets/admin/entry.jsfor the created files. - Rebuild assets using
yarn build. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sylius