"Getting started with Sylius" training sessions now available in various cities in Europe!

Blog

Welcome to our blog, where we share news related to Sylius and post about technology & eCommerce.

Kamil Kokot
09.07.2018 | 1 min read

CSRF vulnerability in the admin panel

The quality of our software has always been the most important thing for us. Nevertheless, live issues happen and only thanks to your alertness we are able to fix them and improve. So, what happened?

Affected versions

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s  applyStateMachineTransitionAction
method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration.

Credits

We would like to thank Paweł Waniek for reporting this security issue and Kamil for a quick reaction.

Reporting security issues

If you think that you have found a security issue in Sylius, please contact us at security@sylius.com.

Kamil Kokot
See my roles

A huge talent and a crazy imagination owner. Exceptional joker. Programmer by day, Krzysztof Krawczyk (famous polish evergreen songs composer) fan by night. Frequent concert-goer who loves to learn useless skills.

Be the first to find out about new posts. Join to our newsletter!