NEW VERSION Sylius 2 is officially here. Check the release!
https://sylius.com/blog/csrf-vulnerability-in-admin-panel/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
https://sylius.com/pl/
pl
< 1 min. read
Categories: News Technical
CSRF vulnerability in the admin panel
CSRF vulnerability in the admin panel

The quality of our software has always been the most important thing for us. Nevertheless, live issues happen and only thanks to your alertness we are able to fix them and improve. So, what happened?

Affected versions

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s  applyStateMachineTransitionAction
method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration.

Credits

We would like to thank Paweł Waniek for reporting this security issue and Kamil for a quick reaction.

Reporting security issues

If you think that you have found a security issue in Sylius, please contact us at [email protected].

Tags:
Share:
More from our blog
Technical < 1 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
< 1 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud < 1 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in