Name of the Vulnerable Software and Affected Versions: Sylius versions 1.0.0 through 1.0.16 Sylius versions 1.1.0 through 1.1.8 Sylius versions 1.2.0 through 1.2.1

Description: The issue affects certain actions in the admin panel that did not require a CSRF token, including marking order's payment as completed, marking order's payment as refunded, marking product review as accepted, and marking product review as rejected. The applyStateMachineTransitionAction method in ResourceController was also vulnerable.

Recommendations: For Sylius versions 1.0.0 through 1.0.16, update to version 1.0.17 to fix the issue. For Sylius versions 1.1.0 through 1.1.8, update to version 1.1.9 to fix the issue. For Sylius versions 1.2.0 through 1.2.1, update to version 1.2.2 to fix the issue. As a temporary workaround, consider disabling the applyStateMachineTransitionAction method in ResourceController until a patch is available, or add csrf protection: false to its routing configuration if used in the API context.