The quality of our software has always been the most important thing for us. Nevertheless, live issues happen and only thanks to your alertness we are able to fix them and improve. So, what happened?
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.
This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.
The following actions in the admin panel did not require a CSRF token:
The issue is fixed by adding a required CSRF token to those actions.
We also fixed
method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding
csrf_protection: false to its routing configuration.
Reporting security issues
If you think that you have found a security issue in Sylius, please contact us at firstname.lastname@example.org.