sylius/sylius: 1.0.0 – 1.0.18, 1.1.0 – 1.1.17, 1.2.0 – 1.2.16, 1.3.0 – 1.3.11 and 1.4.0 – 1.4.3.
sylius/grid-bundle and sylius/grid: 1.0.0 – 1.0.18, 1.1.0 – 1.1.18, 1.2.0 – 1.2.17, 1.3.0 – 1.3.12, 1.4.0 – 1.4.4 and 1.5.0.
New sylius/grid-bundle and sylius/grid releases with the security fix has been released: 1.1.19, 1.2.18, 1.3.13, 1.4.5 and 1.5.1.
Please note that there are no security fixes provided for both Sylius application, Grid bundle and Grid component in versions 1.0.*. Security support for versions 1.1.* ends on 12th June 2019 according to Sylius release process.
Grid component omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.
In the default installation of Sylius, the vulnerability could be exploited by XSS injection in three grids in the admin panel:
Both product name, zone name and tax category name can be only modified through the admin panel in standard Sylius distribution. Nevertheless, it is advised to update as soon as possible and check your grid customisations.
This vulnerability is listed as CVE-2019-12186.
HTML input sanitisation is applied to every value rendered by the string field type.
If you use Grid bundle or component standalone, please make sure to require those packages in the versions mentioned above or higher.
If you use the whole Sylius platform, first make sure to use sylius/sylius in versions 1.1.18, 1.2.17, 1.3.12, 1.4.4, 1.5.0 or higher. Having those versions of Sylius, follow the steps as if you use Grid bundle or component standalone.
You can verify whether you have the right versions of Grid component and bundle installed by running the following command:
composer show | grep sylius/grid
The packages listed should be in versions 1.1.19, 1.2.18, 1.3.13, 1.4.5, 1.5.1 or higher.
We also recommend regularly checking your application using SensioLabs Security Checker.
In case of any problems while upgrading, feel free to send a message on the #support channel on our Slack or contact me directly (contact details below this post).
We would like to thank Piyush Malik for reporting this security issue and working towards the solution.
If you think that you have found a security issue in Sylius, please do not use the issue tracker and do not post it publicly. Instead, all security issues must be sent to firstname.lastname@example.org.