Search criteria
40 vulnerabilities found for Sylius by Sylius
FKIE_CVE-2024-57610
Vulnerability from fkie_nvd - Published: 2025-02-06 18:15 - Updated: 2025-09-19 19:07
Severity ?
Summary
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/Sylius/Sylius | Product | |
| cve@mitre.org | https://github.com/nca785/CVE-2024-57610 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://sylius.com/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B01DD7BD-B52D-4EC8-82CE-E42FD054FA68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier\u0027s position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use \"firewalls, rate-limiting middleware, or authentication providers\" for that functionality."
},
{
"lang": "es",
"value": "Un problema de limitaci\u00f3n de velocidad en Sylius v2.0.2 permite a un atacante remoto realizar ataques de fuerza bruta sin restricciones en cuentas de usuario, lo que aumenta significativamente el riesgo de comprometer la cuenta y denegar el servicio para usuarios leg\u00edtimos."
}
],
"id": "CVE-2024-57610",
"lastModified": "2025-09-19T19:07:05.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-06T18:15:32.133",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/Sylius/Sylius"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nca785/CVE-2024-57610"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://sylius.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-3841
Vulnerability from fkie_nvd - Published: 2024-11-15 11:15 - Updated: 2024-11-19 17:11
Severity ?
Summary
sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
"versionEndExcluding": "1.9.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
"versionEndExcluding": "1.10.11",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
"versionEndExcluding": "1.11.2",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user\u0027s browser."
},
{
"lang": "es",
"value": "Las versiones de sylius/sylius anteriores a 1.9.10, 1.10.11 y 1.11.2 son vulnerables a cross-site scripting (XSS) almacenado a trav\u00e9s de archivos SVG. Esta vulnerabilidad permite a los atacantes inyectar secuencias de comandos maliciosas que pueden ejecutarse en el contexto del navegador del usuario."
}
],
"id": "CVE-2021-3841",
"lastModified": "2024-11-19T17:11:49.017",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 0.7,
"impactScore": 3.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:05.980",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/sylius/sylius/commit/3da169e0c23e752974d74223cc536c29a2a82edc"
},
{
"source": "security@huntr.dev",
"tags": [
"Broken Link"
],
"url": "https://huntr.com/bounties/1625506791178-Sylius/Sylius"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-29376
Vulnerability from fkie_nvd - Published: 2024-04-22 19:15 - Updated: 2025-09-15 15:50
Severity ?
Summary
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/r2tunes/Reports/blob/main/Sylius.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/r2tunes/Reports/blob/main/Sylius.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:1.12.13:*:*:*:*:*:*:*",
"matchCriteriaId": "3107549E-A532-4A0A-AF4F-0FCA8254A684",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the \"Province\" field in Address Book."
},
{
"lang": "es",
"value": "Sylius 1.12.13 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s del campo \"Provincia\" en la Libreta de direcciones."
}
],
"id": "CVE-2024-29376",
"lastModified": "2025-09-15T15:50:07.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-22T19:15:46.560",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-24749
Vulnerability from fkie_nvd - Published: 2022-03-14 22:15 - Updated: 2024-11-21 06:51
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.10.11 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.11.2 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.9.10 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.10.11 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.11.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.9.10 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
"versionEndExcluding": "1.9.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
"versionEndExcluding": "1.10.11",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
"versionEndExcluding": "1.11.2",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
},
{
"lang": "es",
"value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible cargar un archivo SVG que contenga c\u00f3digo de tipo cross-site scripting (XSS) en el panel de administraci\u00f3n. Para llevar a cabo un ataque de tipo XSS, el propio archivo tiene que abrirse en una nueva tarjeta o cargarse fuera de la etiqueta IMG. El problema es aplicado tanto a los archivos abiertos en el panel de administraci\u00f3n como a las p\u00e1ginas de la tienda. El problema est\u00e1 corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Como medida de mitigaci\u00f3n, requiera una biblioteca que a\u00f1ada saneo de archivos al cargar y sobrescriba el servicio antes de escribir el archivo en el sistema de archivos. El aviso de seguridad de GitHub contiene informaci\u00f3n m\u00e1s espec\u00edfica sobre la mitigaci\u00f3n"
}
],
"id": "CVE-2022-24749",
"lastModified": "2024-11-21T06:51:00.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-14T22:15:07.610",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
},
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-24743
Vulnerability from fkie_nvd - Published: 2022-03-14 21:15 - Updated: 2024-11-21 06:50
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.10.11 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.11.2 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.10.11 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.11.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
"versionEndExcluding": "1.10.11",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
"versionEndExcluding": "1.11.2",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory."
},
{
"lang": "es",
"value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.10.11 y 1.11.2, el token de restablecimiento de contrase\u00f1a no se establec\u00eda como nulo despu\u00e9s de cambiar la contrase\u00f1a. El mismo token pod\u00eda ser usado varias veces, lo que pod\u00eda resultar en un filtrado del token existente y a un cambio de contrase\u00f1a no autorizado. El problema ha sido corregido en versiones 1.10.11 y 1.11.2. Como medida de mitigaci\u00f3n, sobrescriba la clase \"Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler\" con el c\u00f3digo proporcionado por los mantenedores y reg\u00edstrela en un contenedor. M\u00e1s informaci\u00f3n sobre esta medida de mitigaci\u00f3n est\u00e1 disponible en el aviso de seguridad de GitHub"
}
],
"id": "CVE-2022-24743",
"lastModified": "2024-11-21T06:50:59.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-14T21:15:07.947",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-24742
Vulnerability from fkie_nvd - Published: 2022-03-14 20:15 - Updated: 2024-11-21 06:50
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
"versionEndExcluding": "1.9.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
"versionEndExcluding": "1.10.11",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
"versionEndExcluding": "1.11.2",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
},
{
"lang": "es",
"value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, cualquier otro usuario pod\u00eda visualizar los datos si la pesta\u00f1a del navegador permanec\u00eda sin cerrar despu\u00e9s de cerrar la sesi\u00f3n. El problema ha sido solucionado en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\u00f3n disponible. La aplicaci\u00f3n debe redirigir estrictamente a la p\u00e1gina de inicio de sesi\u00f3n incluso si es pulsado el bot\u00f3n de retroceso del navegador. Otra posibilidad es establecer pol\u00edticas de cach\u00e9 m\u00e1s estrictas para el contenido restringido"
}
],
"id": "CVE-2022-24742",
"lastModified": "2024-11-21T06:50:59.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-14T20:15:08.683",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-24733
Vulnerability from fkie_nvd - Published: 2022-03-14 19:15 - Updated: 2024-11-21 06:50
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
"versionEndExcluding": "1.9.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
"versionEndExcluding": "1.10.11",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
"versionEndExcluding": "1.11.2",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
},
{
"lang": "es",
"value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible que una p\u00e1gina controlada por un atacante cargue el sitio web dentro de un iframe. Esto permitir\u00eda un ataque de clickjacking, en el que la p\u00e1gina del atacante superpone la interfaz de la aplicaci\u00f3n objetivo con una interfaz diferente proporcionada por el atacante. El problema ha sido corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\u00f3n disponible. Cada respuesta de la aplicaci\u00f3n debe tener un encabezado X-Frame-Options configurada como \"sameorigin\". Para conseguirlo, a\u00f1ada un nuevo \"subscriber\" en la aplicaci\u00f3n"
}
],
"id": "CVE-2022-24733",
"lastModified": "2024-11-21T06:50:58.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-14T19:15:12.173",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-32720
Vulnerability from fkie_nvd - Published: 2021-06-28 19:15 - Updated: 2024-11-21 06:07
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension` and throw `Symfony\Component\Security\Core\Exception\AccessDeniedException` if the class is executed for unauthorized user.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Sylius/Sylius/releases/tag/v1.9.5 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/releases/tag/v1.9.5 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v | Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFE4E23B-2717-4743-89D6-4229457048E2",
"versionEndExcluding": "1.9.5",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
},
{
"lang": "es",
"value": "Sylius es una plataforma Open Source eCommerce sobre Symfony. En las versiones de Sylius anteriores a 1.9.5 y 1.10.0-RC.1, parte de los detalles (ID del pedido, n\u00famero de pedido, total de art\u00edculos y valor del token) de todos los pedidos colocados estaban expuestos a usuarios no autorizados. Si es explotado apropiadamente, tambi\u00e9n se pueden obtener algunos datos adicionales como el n\u00famero de art\u00edculos en el carrito y la fecha de env\u00edo. Estos datos no parecen ser cruciales ni son datos personales, sin embargo, podr\u00edan ser usados para ataques sociot\u00e9cnicos o pueden exponer algunos detalles sobre el estado de la tienda a terceros. Los posibles datos que se pueden agregar son el n\u00famero de pedidos procesados o su valor en el momento. El problema ha sido parcheado en Sylius versiones 1.9.5 y 1.10.0-RC.1. Se presentan algunas soluciones para la vulnerabilidad. La primera soluci\u00f3n posible es ocultar los endpoints problem\u00e1ticos detr\u00e1s del firewall de los usuarios no conectados. Esto pondr\u00eda s\u00f3lo la lista de pedidos bajo el firewall y permitir\u00eda que s\u00f3lo los usuarios autorizados accedieran a ella. Una vez que un usuario est\u00e1 autorizado, s\u00f3lo tendr\u00e1 acceso a sus pedidos. La segunda soluci\u00f3n posible es decorar el \"Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension\" y lanzar \"Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException\" si la clase es ejecutada por un usuario no autorizado"
}
],
"id": "CVE-2021-32720",
"lastModified": "2024-11-21T06:07:35.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-28T19:15:11.397",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-15245
Vulnerability from fkie_nvd - Published: 2020-10-19 21:15 - Updated: 2024-11-21 05:05
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499 | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499 | Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E8B8E9-D805-4E1A-8AB4-B06B322668DA",
"versionEndExcluding": "1.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C4F2B73-6B56-4226-9F97-F5B3C2F14B4F",
"versionEndExcluding": "1.7.9",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B995A95C-06CD-46C4-90C4-FF42915BAFAF",
"versionEndExcluding": "1.8.3",
"versionStartIncluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here."
},
{
"lang": "es",
"value": "En Sylius versiones anteriores a 1.6.9, 1.7.9 y 1.8.3, el usuario puede registrarse en una tienda mediante el correo electr\u00f3nico mail@example.com, verificarlo, cambiarlo al correo another@domain.com y permanecer verificado y habilitado.\u0026#xa0;Esto puede conllevar a tener cuentas dirigidas a correos electr\u00f3nicos totalmente diferentes, que fueron verificados.\u0026#xa0;Tome en cuenta que de esta manera uno no es capaz de tomar el control de ninguna cuenta existente (de invitado o normal).\u0026#xa0;El problema ha sido parcheado en Sylius versiones 1.6.9, 1.7.9 y 1.8.3.\u0026#xa0;Como soluci\u00f3n alternativa, puede resolver este problema por su cuenta mediante la creaci\u00f3n de un detector de eventos personalizado, que escuchar\u00e1 el evento sylius.customer.pre_update.\u0026#xa0;Puede determinar que el correo electr\u00f3nico ha sido cambiado si el correo electr\u00f3nico del cliente y el nombre de usuario son diferentes.\u0026#xa0;Estos se sincronizan m\u00e1s tarde.\u0026#xa0;Preste atenci\u00f3n al comportamiento cambiante del correo electr\u00f3nico para los administradores.\u0026#xa0;Puede necesitar omitir esta l\u00f3gica para ellos.\u0026#xa0;En funci\u00f3n de lograr esto,\u0026#xa0;debe comprobar la informaci\u00f3n de la ruta de petici\u00f3n maestra, si no contiene el prefijo /admin o ajustar el evento activado durante la actualizaci\u00f3n del cliente en la tienda.\u0026#xa0;Puede encontrar m\u00e1s informaci\u00f3n sobre c\u00f3mo personalizar el evento aqu\u00ed"
}
],
"id": "CVE-2020-15245",
"lastModified": "2024-11-21T05:05:10.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-19T21:15:12.810",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-57610 (GCVE-0-2024-57610)
Vulnerability from cvelistv5 – Published: 2025-02-06 00:00 – Updated: 2025-02-07 15:59 Disputed
VLAI?
Summary
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:57:40.484090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:59:30.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier\u0027s position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use \"firewalls, rate-limiting middleware, or authentication providers\" for that functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:01:53.222Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Sylius/Sylius"
},
{
"url": "https://sylius.com/"
},
{
"url": "https://github.com/nca785/CVE-2024-57610"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-57610",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2025-01-09T00:00:00.000Z",
"dateUpdated": "2025-02-07T15:59:30.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3841 (GCVE-0-2021-3841)
Vulnerability from cvelistv5 – Published: 2024-11-15 10:52 – Updated: 2024-11-20 22:36
VLAI?
Title
Stored Cross-site Scripting (XSS) in sylius/sylius
Summary
sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.
Severity ?
4.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sylius | sylius/sylius |
Affected:
unspecified , < 1.9.10, 1.10.11, 1.11.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T22:35:41.459041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T22:36:05.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sylius/sylius",
"vendor": "sylius",
"versions": [
{
"lessThan": "1.9.10, 1.10.11, 1.11.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user\u0027s browser."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:25.962Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/1625506791178-Sylius/Sylius"
},
{
"url": "https://github.com/sylius/sylius/commit/3da169e0c23e752974d74223cc536c29a2a82edc"
}
],
"source": {
"advisory": "1625506791178-Sylius/Sylius",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in sylius/sylius"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2021-3841",
"datePublished": "2024-11-15T10:52:01.371Z",
"dateReserved": "2021-09-30T10:17:10.364Z",
"dateUpdated": "2024-11-20T22:36:05.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40633 (GCVE-0-2024-40633)
Vulnerability from cvelistv5 – Published: 2024-07-17 17:51 – Updated: 2024-08-02 04:33
VLAI?
Title
Customer data leak via adjustments API endpoint in Sylius
Summary
Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sylius",
"vendor": "sylius",
"versions": [
{
"lessThan": "1.12.19",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.13.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T19:06:37.163426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T19:17:09.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.19"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T17:51:45.986Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
}
],
"source": {
"advisory": "GHSA-55rf-8q29-4g43",
"discovery": "UNKNOWN"
},
"title": "Customer data leak via adjustments API endpoint in Sylius"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40633",
"datePublished": "2024-07-17T17:51:45.986Z",
"dateReserved": "2024-07-08T16:13:15.511Z",
"dateUpdated": "2024-08-02T04:33:11.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34349 (GCVE-0-2024-34349)
Vulnerability from cvelistv5 – Published: 2024-05-10 15:29 – Updated: 2024-08-02 02:51
VLAI?
Title
Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
Summary
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T18:30:14.256886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:11.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
},
{
"name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.16"
},
{
"status": "affected",
"version": "\u003e= 1.13.0-alpha.1, \u003c 1.13.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T12:35:38.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
},
{
"name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
}
],
"source": {
"advisory": "GHSA-v2f9-rv6w-vw8r",
"discovery": "UNKNOWN"
},
"title": "Sylius potentially vulnerable to Cross Site Scripting via \"Name\" field (Taxons, Products, Options, Variants) in Admin Panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34349",
"datePublished": "2024-05-10T15:29:39.791Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-02T02:51:11.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29376 (GCVE-0-2024-29376)
Vulnerability from cvelistv5 – Published: 2024-04-22 00:00 – Updated: 2024-11-22 14:28
VLAI?
Summary
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
Severity ?
6.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sylius:sylius:1.12.13:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sylius",
"vendor": "sylius",
"versions": [
{
"status": "affected",
"version": "1.12.13"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T23:48:15.908012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T14:28:29.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the \"Province\" field in Address Book."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-22T18:43:52.779188",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29376",
"datePublished": "2024-04-22T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-11-22T14:28:29.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24749 (GCVE-0-2022-24749)
Vulnerability from cvelistv5 – Published: 2022-03-14 21:45 – Updated: 2025-04-22 18:18
VLAI?
Title
Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius
Summary
Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24749",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:14.780831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:18:36.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T21:45:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
],
"source": {
"advisory": "GHSA-4qrp-27r3-66fj",
"discovery": "UNKNOWN"
},
"title": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24749",
"STATE": "PUBLIC",
"TITLE": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
]
},
"source": {
"advisory": "GHSA-4qrp-27r3-66fj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24749",
"datePublished": "2022-03-14T21:45:13.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:18:36.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24743 (GCVE-0-2022-24743)
Vulnerability from cvelistv5 – Published: 2022-03-14 21:00 – Updated: 2025-04-22 18:18
VLAI?
Title
Insufficient Session Expiration in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.
Severity ?
7.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:17.884088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:18:50.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T21:00:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
],
"source": {
"advisory": "GHSA-mf3v-f2qq-pf9g",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24743",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
]
},
"source": {
"advisory": "GHSA-mf3v-f2qq-pf9g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24743",
"datePublished": "2022-03-14T21:00:14.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:18:50.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24742 (GCVE-0-2022-24742)
Vulnerability from cvelistv5 – Published: 2022-03-14 19:20 – Updated: 2025-04-23 18:54
VLAI?
Title
Exposure of Sensitive Information Due to Incompatible Policies in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
Severity ?
5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:05.327792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:10.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T19:20:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
],
"source": {
"advisory": "GHSA-7563-75j9-6h5p",
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information Due to Incompatible Policies in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24742",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information Due to Incompatible Policies in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
]
},
"source": {
"advisory": "GHSA-7563-75j9-6h5p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24742",
"datePublished": "2022-03-14T19:20:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:10.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24733 (GCVE-0-2022-24733)
Vulnerability from cvelistv5 – Published: 2022-03-14 18:50 – Updated: 2025-04-23 18:54
VLAI?
Title
Improper Restriction of Rendered UI Layers or Frames in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.
Severity ?
6.1 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:08.211087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:19.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T18:50:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
],
"source": {
"advisory": "GHSA-4jp3-q2qm-9fmw",
"discovery": "UNKNOWN"
},
"title": "Improper Restriction of Rendered UI Layers or Frames in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24733",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
]
},
"source": {
"advisory": "GHSA-4jp3-q2qm-9fmw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24733",
"datePublished": "2022-03-14T18:50:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:19.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32720 (GCVE-0-2021-32720)
Vulnerability from cvelistv5 – Published: 2021-06-28 18:45 – Updated: 2024-08-03 23:25
VLAI?
Title
List of order ids, number, items total and token value exposed for unauthorized uses via new API
Summary
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension` and throw `Symfony\Component\Security\Core\Exception\AccessDeniedException` if the class is executed for unauthorized user.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.9.5"
},
{
"status": "affected",
"version": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-28T18:45:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
],
"source": {
"advisory": "GHSA-rpxh-vg2x-526v",
"discovery": "UNKNOWN"
},
"title": "List of order ids, number, items total and token value exposed for unauthorized uses via new API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32720",
"STATE": "PUBLIC",
"TITLE": "List of order ids, number, items total and token value exposed for unauthorized uses via new API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.9.0, \u003c 1.9.5"
},
{
"version_value": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
]
},
"source": {
"advisory": "GHSA-rpxh-vg2x-526v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32720",
"datePublished": "2021-06-28T18:45:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15245 (GCVE-0-2020-15245)
Vulnerability from cvelistv5 – Published: 2020-10-19 20:50 – Updated: 2024-08-04 13:08
VLAI?
Title
Email verification bypass in Sylius
Summary
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-19T20:50:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
}
],
"source": {
"advisory": "GHSA-6gw4-x63h-5499",
"discovery": "UNKNOWN"
},
"title": "Email verification bypass in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15245",
"STATE": "PUBLIC",
"TITLE": "Email verification bypass in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0, \u003c 9.4.4"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
},
{
"name": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
}
]
},
"source": {
"advisory": "GHSA-6gw4-x63h-5499",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15245",
"datePublished": "2020-10-19T20:50:16",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:23.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57610 (GCVE-0-2024-57610)
Vulnerability from nvd – Published: 2025-02-06 00:00 – Updated: 2025-02-07 15:59 Disputed
VLAI?
Summary
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:57:40.484090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:59:30.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier\u0027s position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use \"firewalls, rate-limiting middleware, or authentication providers\" for that functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:01:53.222Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Sylius/Sylius"
},
{
"url": "https://sylius.com/"
},
{
"url": "https://github.com/nca785/CVE-2024-57610"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-57610",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2025-01-09T00:00:00.000Z",
"dateUpdated": "2025-02-07T15:59:30.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3841 (GCVE-0-2021-3841)
Vulnerability from nvd – Published: 2024-11-15 10:52 – Updated: 2024-11-20 22:36
VLAI?
Title
Stored Cross-site Scripting (XSS) in sylius/sylius
Summary
sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.
Severity ?
4.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sylius | sylius/sylius |
Affected:
unspecified , < 1.9.10, 1.10.11, 1.11.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T22:35:41.459041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T22:36:05.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sylius/sylius",
"vendor": "sylius",
"versions": [
{
"lessThan": "1.9.10, 1.10.11, 1.11.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user\u0027s browser."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:25.962Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/1625506791178-Sylius/Sylius"
},
{
"url": "https://github.com/sylius/sylius/commit/3da169e0c23e752974d74223cc536c29a2a82edc"
}
],
"source": {
"advisory": "1625506791178-Sylius/Sylius",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in sylius/sylius"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2021-3841",
"datePublished": "2024-11-15T10:52:01.371Z",
"dateReserved": "2021-09-30T10:17:10.364Z",
"dateUpdated": "2024-11-20T22:36:05.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40633 (GCVE-0-2024-40633)
Vulnerability from nvd – Published: 2024-07-17 17:51 – Updated: 2024-08-02 04:33
VLAI?
Title
Customer data leak via adjustments API endpoint in Sylius
Summary
Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sylius",
"vendor": "sylius",
"versions": [
{
"lessThan": "1.12.19",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.13.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T19:06:37.163426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T19:17:09.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.19"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T17:51:45.986Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
}
],
"source": {
"advisory": "GHSA-55rf-8q29-4g43",
"discovery": "UNKNOWN"
},
"title": "Customer data leak via adjustments API endpoint in Sylius"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40633",
"datePublished": "2024-07-17T17:51:45.986Z",
"dateReserved": "2024-07-08T16:13:15.511Z",
"dateUpdated": "2024-08-02T04:33:11.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34349 (GCVE-0-2024-34349)
Vulnerability from nvd – Published: 2024-05-10 15:29 – Updated: 2024-08-02 02:51
VLAI?
Title
Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
Summary
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T18:30:14.256886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:11.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
},
{
"name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.16"
},
{
"status": "affected",
"version": "\u003e= 1.13.0-alpha.1, \u003c 1.13.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T12:35:38.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
},
{
"name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
}
],
"source": {
"advisory": "GHSA-v2f9-rv6w-vw8r",
"discovery": "UNKNOWN"
},
"title": "Sylius potentially vulnerable to Cross Site Scripting via \"Name\" field (Taxons, Products, Options, Variants) in Admin Panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34349",
"datePublished": "2024-05-10T15:29:39.791Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-02T02:51:11.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29376 (GCVE-0-2024-29376)
Vulnerability from nvd – Published: 2024-04-22 00:00 – Updated: 2024-11-22 14:28
VLAI?
Summary
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
Severity ?
6.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sylius:sylius:1.12.13:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sylius",
"vendor": "sylius",
"versions": [
{
"status": "affected",
"version": "1.12.13"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T23:48:15.908012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T14:28:29.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the \"Province\" field in Address Book."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-22T18:43:52.779188",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29376",
"datePublished": "2024-04-22T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-11-22T14:28:29.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24749 (GCVE-0-2022-24749)
Vulnerability from nvd – Published: 2022-03-14 21:45 – Updated: 2025-04-22 18:18
VLAI?
Title
Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius
Summary
Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24749",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:14.780831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:18:36.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T21:45:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
],
"source": {
"advisory": "GHSA-4qrp-27r3-66fj",
"discovery": "UNKNOWN"
},
"title": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24749",
"STATE": "PUBLIC",
"TITLE": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
}
]
},
"source": {
"advisory": "GHSA-4qrp-27r3-66fj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24749",
"datePublished": "2022-03-14T21:45:13.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:18:36.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24743 (GCVE-0-2022-24743)
Vulnerability from nvd – Published: 2022-03-14 21:00 – Updated: 2025-04-22 18:18
VLAI?
Title
Insufficient Session Expiration in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.
Severity ?
7.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:17.884088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:18:50.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T21:00:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
],
"source": {
"advisory": "GHSA-mf3v-f2qq-pf9g",
"discovery": "UNKNOWN"
},
"title": "Insufficient Session Expiration in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24743",
"STATE": "PUBLIC",
"TITLE": "Insufficient Session Expiration in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\\Bundle\\ApiBundle\\CommandHandler\\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613: Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g"
}
]
},
"source": {
"advisory": "GHSA-mf3v-f2qq-pf9g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24743",
"datePublished": "2022-03-14T21:00:14.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:18:50.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24742 (GCVE-0-2022-24742)
Vulnerability from nvd – Published: 2022-03-14 19:20 – Updated: 2025-04-23 18:54
VLAI?
Title
Exposure of Sensitive Information Due to Incompatible Policies in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
Severity ?
5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:05.327792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:10.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T19:20:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
],
"source": {
"advisory": "GHSA-7563-75j9-6h5p",
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information Due to Incompatible Policies in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24742",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information Due to Incompatible Policies in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
},
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
}
]
},
"source": {
"advisory": "GHSA-7563-75j9-6h5p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24742",
"datePublished": "2022-03-14T19:20:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:10.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24733 (GCVE-0-2022-24733)
Vulnerability from nvd – Published: 2022-03-14 18:50 – Updated: 2025-04-23 18:54
VLAI?
Title
Improper Restriction of Rendered UI Layers or Frames in Sylius
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.
Severity ?
6.1 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:08.211087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:19.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.10"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T18:50:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
],
"source": {
"advisory": "GHSA-4jp3-q2qm-9fmw",
"discovery": "UNKNOWN"
},
"title": "Improper Restriction of Rendered UI Layers or Frames in Sylius",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24733",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.10"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.2"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
]
},
"source": {
"advisory": "GHSA-4jp3-q2qm-9fmw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24733",
"datePublished": "2022-03-14T18:50:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:19.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32720 (GCVE-0-2021-32720)
Vulnerability from nvd – Published: 2021-06-28 18:45 – Updated: 2024-08-03 23:25
VLAI?
Title
List of order ids, number, items total and token value exposed for unauthorized uses via new API
Summary
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension` and throw `Symfony\Component\Security\Core\Exception\AccessDeniedException` if the class is executed for unauthorized user.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.9.5"
},
{
"status": "affected",
"version": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-28T18:45:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
],
"source": {
"advisory": "GHSA-rpxh-vg2x-526v",
"discovery": "UNKNOWN"
},
"title": "List of order ids, number, items total and token value exposed for unauthorized uses via new API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32720",
"STATE": "PUBLIC",
"TITLE": "List of order ids, number, items total and token value exposed for unauthorized uses via new API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.9.0, \u003c 1.9.5"
},
{
"version_value": "\u003e= 1.10.0-ALPHA.1, \u003c= 1.10.0-BETA.1"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
},
{
"name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
}
]
},
"source": {
"advisory": "GHSA-rpxh-vg2x-526v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32720",
"datePublished": "2021-06-28T18:45:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}