2 min. read
Categories: News Technical
CVE-2019-12186: XSS injection in the Grid component
CVE-2019-12186: XSS injection in the Grid component

Affected versions

sylius/sylius: 1.0.0 – 1.0.18, 1.1.0 – 1.1.17, 1.2.0 – 1.2.16, 1.3.0 – 1.3.11 and 1.4.0 – 1.4.3.

sylius/grid-bundle and sylius/grid: 1.0.0 – 1.0.18, 1.1.0 – 1.1.18, 1.2.0 – 1.2.17, 1.3.0 – 1.3.12, 1.4.0 – 1.4.4 and 1.5.0.

New sylius/grid-bundle and sylius/grid releases with the security fix has been released: 1.1.19, 1.2.18, 1.3.13, 1.4.5 and 1.5.1.

Please note that there are no security fixes provided for both Sylius application, Grid bundle and Grid component in versions 1.0.*. Security support for versions 1.1.* ends on 12th June 2019 according to Sylius release process.

Description

Grid component omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.

In the default installation of Sylius, the vulnerability could be exploited by XSS injection in three grids in the admin panel:

  • Product reviews grid – XSS through product name
  • Shipping methods grid – XSS through zone name
  • Tax rates grid – XSS through zone name or tax category name

Both product name, zone name and tax category name can be only modified through the admin panel in standard Sylius distribution. Nevertheless, it is advised to update as soon as possible and check your grid customisations.

This vulnerability is listed as CVE-2019-12186.

Resolution

HTML input sanitisation is applied to every value rendered by the string field type.

If you use Grid bundle or component standalone, please make sure to require those packages in the versions mentioned above or higher.

If you use the whole Sylius platform, first make sure to use sylius/sylius in versions 1.1.18, 1.2.17, 1.3.12, 1.4.4, 1.5.0 or higher. Having those versions of Sylius, follow the steps as if you use Grid bundle or component standalone.

You can verify whether you have the right versions of Grid component and bundle installed by running the following command:

composer show | grep sylius/grid

The packages listed should be in versions 1.1.19, 1.2.18, 1.3.13, 1.4.5, 1.5.1 or higher.

We also recommend regularly checking your application using SensioLabs Security Checker.

In case of any problems while upgrading, feel free to send a message on the #support channel on our Slack or contact me directly (contact details below this post).

Credits

We would like to thank Piyush Malik for reporting this security issue and working towards the solution.

Reporting security issues

If you think that you have found a security issue in Sylius, please do not use the issue tracker and do not post it publicly. Instead, all security issues must be sent to [email protected].

Share:
More from our blog
Technical 2 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
2 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud 2 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments