05.24

10.05.2024

2 min. read

Security releases blog post! 🚨

We’ve got you covered as long as your application is up to date.

Perfection may be elusive, but that doesn’t mean we shouldn’t strive for it.

While it’s not the most comfortable task, sharing security updates is essential in the tech world. Despite its challenges, we prioritize addressing every vulnerability diligently. Today, we’re rolling out several fixes for Sylius versions 1.12 and 1.13 as part of our commitment to your safety.

Sylius 1.12 and above

CVE-2024-29376: Potential Cross Site Scripting (XSS) via the “Province” field in the Checkout and Address Book

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.12.16 and 1.13.1. This only affects the base UI Shop provided by Sylius.

Impact

It is possible to save XSS code in the province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page at checkout or edit the address in the address book.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1, and above.

Workarounds

Create new file `assets/shop/sylius-province-field.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js

Add new import in `assets/shop/entry.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-entry-js

Rebuild your assets:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-bash-sh

CVE-2024-34349: Potential Cross Site Scripting (XSS) via the “Name” field (Taxons, Products, Options, Variants) in the Admin Panel

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.12.16 and 1.13.1. The main attack vector for Sylius requires access to the admin panel, as there is only the possibility of creating or editing the listed entities.

Impact

Executing javascript code in the Admin panel is possible. To perform an XSS attack, input a script into the `Name` field of one of the resources: Taxons, Products, Product Options, or Product Variants. The code will be executed using an autocomplete field with one of the listed entities in the Admin Panel. The same applies to the taxons in the category tree on the product form.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

Create new file `assets/admin/sylius-lazy-choice-tree.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js

Create new file `assets/admin/sylius-auto-complete.js`:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-auto-complete-js

Create new file assets/admin/sylius-product-auto-complete.js:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-product-auto-complete-js

Add new import in assets/admin/entry.js:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-entry-js

Rebuild your assets:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-bash-sh

Tags: featured Sylius

Grzegorz Sadowski

Grzegorz is primarily one of Sylius most experienced software developers and also our Scrum Master. As he’s got a knack for detail in numbers, he is also keeping an eye on our financial and legal operations. Privately he’s a Madridista since childhood. He’d literally enjoy driving any car on earth. He’s already planned to buy an electric Audi for his tiny daughter.