https://sylius.com/blog/csrf-vulnerability-in-admin-panel/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
by Kamil Kokot
< 1 min. read
Categories: News Technical
CSRF vulnerability in the admin panel
CSRF vulnerability in the admin panel

The quality of our software has always been the most important thing for us. Nevertheless, live issues happen and only thanks to your alertness we are able to fix them and improve. So, what happened?

Affected versions

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s  applyStateMachineTransitionAction
method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration.

Credits

We would like to thank Paweł Waniek for reporting this security issue and Kamil for a quick reaction.

Reporting security issues

If you think that you have found a security issue in Sylius, please contact us at [email protected].

Tags:
Share:
Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
more articles
More from our blog
Business News Technical < 1 min read 28.09.2020
Get ready for global sales & operations with the most advanced payment solution from the famous fintech giant, now available in Sylius out of the box. Read More
Business News < 1 min read 14.09.2020
We proudly present to you the latest version of the Sylius eCommerce Platform – 1.8, which comes with a brand new, unified API powered by API Platform, Loyalty points system for Sylius Plus, and as you can probably see, a brand new sylius.com website! Numbers This new release is a… Read More
Business Ecosystem News < 1 min read 13.08.2020
Read why the French market leader trusted Sylius in a strategic re-platforming process to get a competitive eCommerce advantage. Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in