NEW VERSION Sylius 2 is officially here. Check the release!
https://sylius.com/blog/security-releases-blog-post-2024/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
https://sylius.com/pl/
pl
by Grzegorz Sadowski
2 min. read
Categories: Technical
Security releases blog post! 🚨

We’ve got you covered as long as your application is up to date.

Perfection may be elusive, but that doesn’t mean we shouldn’t strive for it.

While it’s not the most comfortable task, sharing security updates is essential in the tech world. Despite its challenges, we prioritize addressing every vulnerability diligently. Today, we’re rolling out several fixes for Sylius versions 1.12 and 1.13 as part of our commitment to your safety.

Sylius 1.12 and above

CVE-2024-29376: Potential Cross Site Scripting (XSS) via the “Province” field in the Checkout and Address Book

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.12.16 and 1.13.1. This only affects the base UI Shop provided by Sylius.

Impact

It is possible to save XSS code in the province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page at checkout or edit the address in the address book.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1, and above.

Workarounds

Create new file `assets/shop/sylius-province-field.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js

Add new import in `assets/shop/entry.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-entry-js

Rebuild your assets:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-bash-sh

CVE-2024-34349: Potential Cross Site Scripting (XSS) via the “Name” field (Taxons, Products, Options, Variants) in the Admin Panel

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.12.16 and 1.13.1. The main attack vector for Sylius requires access to the admin panel, as there is only the possibility of creating or editing the listed entities.

Impact

Executing javascript code in the Admin panel is possible. To perform an XSS attack, input a script into the `Name` field of one of the resources: Taxons, Products, Product Options, or Product Variants. The code will be executed using an autocomplete field with one of the listed entities in the Admin Panel. The same applies to the taxons in the category tree on the product form.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

Create new file `assets/admin/sylius-lazy-choice-tree.js`:

gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js

Create new file `assets/admin/sylius-auto-complete.js`:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-auto-complete-js

Create new file assets/admin/sylius-product-auto-complete.js:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-product-auto-complete-js

Add new import in assets/admin/entry.js:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-entry-js

Rebuild your assets:

gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-bash-sh

Tags: featured Sylius
Share:
Grzegorz Sadowski
Grzegorz is primarily one of Sylius most experienced software developers and also our Scrum Master. As he’s got a knack for detail in numbers, he is also keeping an eye on our financial and legal operations. Privately he’s a Madridista since childhood. He’d literally enjoy driving any car on earth. He’s already planned to buy an electric Audi for his tiny daughter.
more articles
More from our blog
Technical 2 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
2 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud 2 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in