We’ve got you covered as long as your application is up to date.
Perfection may be elusive, but that doesn’t mean we shouldn’t strive for it.
While it’s not the most comfortable task, sharing security updates is essential in the tech world. Despite its challenges, we prioritize addressing every vulnerability diligently. Today, we’re rolling out several fixes for Sylius versions 1.12 and 1.13 as part of our commitment to your safety.
Sylius 1.12 and above
CVE-2024-29376: Potential Cross Site Scripting (XSS) via the “Province” field in the Checkout and Address Book
The original security advisory has been published on GitHub at Sylius/Sylius repository.
Is my store affected by this vulnerability?
This issue is present in all Sylius versions before 1.12.16 and 1.13.1. This only affects the base UI Shop provided by Sylius.
Impact
It is possible to save XSS code in the province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page at checkout or edit the address in the address book.
Patches
The issue is fixed in versions: 1.12.16, 1.13.1, and above.
Workarounds
Create new file `assets/shop/sylius-province-field.js`:
gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js
Add new import in `assets/shop/entry.js`:
gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-entry-js
Rebuild your assets:
gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-bash-sh
CVE-2024-34349: Potential Cross Site Scripting (XSS) via the “Name” field (Taxons, Products, Options, Variants) in the Admin Panel
The original security advisory has been published on GitHub at Sylius/Sylius repository.
Is my store affected by this vulnerability?
This issue is present in all Sylius versions before 1.12.16 and 1.13.1. The main attack vector for Sylius requires access to the admin panel, as there is only the possibility of creating or editing the listed entities.
Impact
Executing javascript code in the Admin panel is possible. To perform an XSS attack, input a script into the `Name` field of one of the resources: Taxons, Products, Product Options, or Product Variants. The code will be executed using an autocomplete field with one of the listed entities in the Admin Panel. The same applies to the taxons in the category tree on the product form.
Patches
The issue is fixed in versions: 1.12.16, 1.13.1 and above.
Workarounds
Create new file `assets/admin/sylius-lazy-choice-tree.js`:
gist.github.com/GSadee/0926ac86935309e17ea0acf6d7df0709#file-sylius-province-field-js
Create new file `assets/admin/sylius-auto-complete.js`:
gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-auto-complete-js
Create new file assets/admin/sylius-product-auto-complete.js:
gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-sylius-product-auto-complete-js
Add new import in assets/admin/entry.js:
gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-entry-js
Rebuild your assets:
gist.github.com/GSadee/115f430ce334c368809c3a0b5798aef3#file-bash-sh
The post Security releases blog post! 🚨 first appeared on Sylius.