12.12.2020
2 min. read
Categories: News Technical
CVE-2019-12186: XSS injection in the Grid component
CVE-2019-12186: XSS injection in the Grid component

Affected versions

sylius/sylius: 1.0.0 – 1.0.18, 1.1.0 – 1.1.17, 1.2.0 – 1.2.16, 1.3.0 – 1.3.11 and 1.4.0 – 1.4.3.

sylius/grid-bundle and sylius/grid: 1.0.0 – 1.0.18, 1.1.0 – 1.1.18, 1.2.0 – 1.2.17, 1.3.0 – 1.3.12, 1.4.0 – 1.4.4 and 1.5.0.

New sylius/grid-bundle and sylius/grid releases with the security fix has been released: 1.1.19, 1.2.18, 1.3.13, 1.4.5 and 1.5.1.

Please note that there are no security fixes provided for both Sylius application, Grid bundle and Grid component in versions 1.0.*. Security support for versions 1.1.* ends on 12th June 2019 according to Sylius release process.

Description

Grid component omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.

In the default installation of Sylius, the vulnerability could be exploited by XSS injection in three grids in the admin panel:

  • Product reviews grid – XSS through product name
  • Shipping methods grid – XSS through zone name
  • Tax rates grid – XSS through zone name or tax category name

Both product name, zone name and tax category name can be only modified through the admin panel in standard Sylius distribution. Nevertheless, it is advised to update as soon as possible and check your grid customisations.

This vulnerability is listed as CVE-2019-12186.

Resolution

HTML input sanitisation is applied to every value rendered by the string field type.

If you use Grid bundle or component standalone, please make sure to require those packages in the versions mentioned above or higher.

If you use the whole Sylius platform, first make sure to use sylius/sylius in versions 1.1.18, 1.2.17, 1.3.12, 1.4.4, 1.5.0 or higher. Having those versions of Sylius, follow the steps as if you use Grid bundle or component standalone.

You can verify whether you have the right versions of Grid component and bundle installed by running the following command:

composer show | grep sylius/grid

The packages listed should be in versions 1.1.19, 1.2.18, 1.3.13, 1.4.5, 1.5.1 or higher.

We also recommend regularly checking your application using SensioLabs Security Checker.

In case of any problems while upgrading, feel free to send a message on the #support channel on our Slack or contact me directly (contact details below this post).

Credits

We would like to thank Piyush Malik for reporting this security issue and working towards the solution.

Reporting security issues

If you think that you have found a security issue in Sylius, please do not use the issue tracker and do not post it publicly. Instead, all security issues must be sent to security@sylius.com.

Share:
Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
More from our blog
Business News Technical 2 min read 28.09.2020
Get ready for global sales & operations with the most advanced payment solution from the famous fintech giant, now available in Sylius out of the box. Read More
Business News 2 min read 14.09.2020
We proudly present to you the latest version of the Sylius eCommerce Platform – 1.8, which comes with a brand new, unified API powered by API Platform, Loyalty points system for Sylius Plus, and as you can probably see, a brand new sylius.com website! Numbers This new release is a… Read More
Business Ecosystem News 2 min read 13.08.2020
Read why the French market leader trusted Sylius in a strategic re-platforming process to get a competitive eCommerce advantage. Read More
Comments