[NEW] Sylius Plus - more than just a software

Blog

Welcome to our blog, where we share news related to Sylius and post about technology & eCommerce.

Kamil Kokot
22.05.2019 | 2 mins read

CVE-2019-12186: XSS injection in the Grid component

Affected versions

sylius/sylius: 1.0.0 – 1.0.18, 1.1.0 – 1.1.17, 1.2.0 – 1.2.16, 1.3.0 – 1.3.11 and 1.4.0 – 1.4.3.

sylius/grid-bundle and sylius/grid: 1.0.0 – 1.0.18, 1.1.0 – 1.1.18, 1.2.0 – 1.2.17, 1.3.0 – 1.3.12, 1.4.0 – 1.4.4 and 1.5.0.

New sylius/grid-bundle and sylius/grid releases with the security fix has been released: 1.1.19, 1.2.18, 1.3.13, 1.4.5 and 1.5.1.

Please note that there are no security fixes provided for both Sylius application, Grid bundle and Grid component in versions 1.0.*. Security support for versions 1.1.* ends on 12th June 2019 according to Sylius release process.

Description

Grid component omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.

In the default installation of Sylius, the vulnerability could be exploited by XSS injection in three grids in the admin panel:

  • Product reviews grid – XSS through product name
  • Shipping methods grid – XSS through zone name
  • Tax rates grid – XSS through zone name or tax category name

Both product name, zone name and tax category name can be only modified through the admin panel in standard Sylius distribution. Nevertheless, it is advised to update as soon as possible and check your grid customisations.

This vulnerability is listed as CVE-2019-12186.

Resolution

HTML input sanitisation is applied to every value rendered by the string field type.

If you use Grid bundle or component standalone, please make sure to require those packages in the versions mentioned above or higher.

If you use the whole Sylius platform, first make sure to use sylius/sylius in versions 1.1.18, 1.2.17, 1.3.12, 1.4.4, 1.5.0 or higher. Having those versions of Sylius, follow the steps as if you use Grid bundle or component standalone.

You can verify whether you have the right versions of Grid component and bundle installed by running the following command:

composer show | grep sylius/grid

The packages listed should be in versions 1.1.19, 1.2.18, 1.3.13, 1.4.5, 1.5.1 or higher.

We also recommend regularly checking your application using SensioLabs Security Checker.

In case of any problems while upgrading, feel free to send a message on the #support channel on our Slack or contact me directly (contact details below this post).

Credits

We would like to thank Piyush Malik for reporting this security issue and working towards the solution.

Reporting security issues

If you think that you have found a security issue in Sylius, please do not use the issue tracker and do not post it publicly. Instead, all security issues must be sent to security@sylius.com.

Kamil Kokot
See my roles

A huge talent and a crazy imagination owner. Exceptional joker. Programmer by day, Krzysztof Krawczyk (famous polish evergreen songs composer) fan by night. Frequent concert-goer who loves to learn useless skills.

Be the first to find out about new posts. Join to our newsletter!