cvelistv5 - cve-2022-24733

CVE-2022-24733 (GCVE-0-2022-24733)

Vulnerability from cvelistv5 – Published: 2022-03-14 18:50 – Updated: 2025-04-23 18:54

Title

Improper Restriction of Rendered UI Layers or Frames in Sylius

Summary

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Sylius/Sylius/security/advisor…	x_refsource_CONFIRM
	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	x_refsource_MISC
	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	x_refsource_MISC
	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Affected: < 1.9.10 Affected: >= 1.10.0, < 1.10.11 Affected: >= 1.11.0, < 1.11.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:49.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24733",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:09:08.211087Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:54:19.052Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.10.0, \u003c 1.10.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.11.0, \u003c 1.11.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1021",
              "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-14T18:50:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
        }
      ],
      "source": {
        "advisory": "GHSA-4jp3-q2qm-9fmw",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Restriction of Rendered UI Layers or Frames in Sylius",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24733",
          "STATE": "PUBLIC",
          "TITLE": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Sylius",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.9.10"
                          },
                          {
                            "version_value": "\u003e= 1.10.0, \u003c 1.10.11"
                          },
                          {
                            "version_value": "\u003e= 1.11.0, \u003c 1.11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Sylius"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
              "refsource": "CONFIRM",
              "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-4jp3-q2qm-9fmw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24733",
    "datePublished": "2022-03-14T18:50:10.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:54:19.052Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.9.10\", \"matchCriteriaId\": \"E2B404E6-8985-428A-A7C4-880A4947766B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.10.0\", \"versionEndExcluding\": \"1.10.11\", \"matchCriteriaId\": \"687E9BB6-A926-4A62-B44E-7A1B236D6C6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.11.0\", \"versionEndExcluding\": \"1.11.2\", \"matchCriteriaId\": \"D4D032BB-B314-42A5-808D-5861B909F76F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.\"}, {\"lang\": \"es\", \"value\": \"Sylius es una plataforma de comercio electr\\u00f3nico de c\\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible que una p\\u00e1gina controlada por un atacante cargue el sitio web dentro de un iframe. Esto permitir\\u00eda un ataque de clickjacking, en el que la p\\u00e1gina del atacante superpone la interfaz de la aplicaci\\u00f3n objetivo con una interfaz diferente proporcionada por el atacante. El problema ha sido corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\\u00f3n disponible. Cada respuesta de la aplicaci\\u00f3n debe tener un encabezado X-Frame-Options configurada como \\\"sameorigin\\\". Para conseguirlo, a\\u00f1ada un nuevo \\\"subscriber\\\" en la aplicaci\\u00f3n\"}]",
      "id": "CVE-2022-24733",
      "lastModified": "2024-11-21T06:50:58.550",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-03-14T19:15:12.173",
      "references": "[{\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1021\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24733\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-03-14T19:15:12.173\",\"lastModified\":\"2024-11-21T06:50:58.550\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.\"},{\"lang\":\"es\",\"value\":\"Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible que una p\u00e1gina controlada por un atacante cargue el sitio web dentro de un iframe. Esto permitir\u00eda un ataque de clickjacking, en el que la p\u00e1gina del atacante superpone la interfaz de la aplicaci\u00f3n objetivo con una interfaz diferente proporcionada por el atacante. El problema ha sido corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\u00f3n disponible. Cada respuesta de la aplicaci\u00f3n debe tener un encabezado X-Frame-Options configurada como \\\"sameorigin\\\". Para conseguirlo, a\u00f1ada un nuevo \\\"subscriber\\\" en la aplicaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1021\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.10\",\"matchCriteriaId\":\"E2B404E6-8985-428A-A7C4-880A4947766B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.0\",\"versionEndExcluding\":\"1.10.11\",\"matchCriteriaId\":\"687E9BB6-A926-4A62-B44E-7A1B236D6C6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.11.0\",\"versionEndExcluding\":\"1.11.2\",\"matchCriteriaId\":\"D4D032BB-B314-42A5-808D-5861B909F76F\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"Sylius\", \"vendor\": \"Sylius\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.10.0, \u003c 1.10.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.11.0, \u003c 1.11.2\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-1021\", \"description\": \"CWE-1021: Improper Restriction of Rendered UI Layers or Frames\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-03-14T18:50:10.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\"}], \"source\": {\"advisory\": \"GHSA-4jp3-q2qm-9fmw\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Improper Restriction of Rendered UI Layers or Frames in Sylius\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-24733\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Improper Restriction of Rendered UI Layers or Frames in Sylius\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"Sylius\", \"version\": {\"version_data\": [{\"version_value\": \"\u003c 1.9.10\"}, {\"version_value\": \"\u003e= 1.10.0, \u003c 1.10.11\"}, {\"version_value\": \"\u003e= 1.11.0, \u003c 1.11.2\"}]}}]}, \"vendor_name\": \"Sylius\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-1021: Improper Restriction of Rendered UI Layers or Frames\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\"}, {\"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"refsource\": \"MISC\", \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\"}, {\"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"refsource\": \"MISC\", \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\"}, {\"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"refsource\": \"MISC\", \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\"}]}, \"source\": {\"advisory\": \"GHSA-4jp3-q2qm-9fmw\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:20:49.808Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24733\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:09:08.211087Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:09:10.134Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-24733\", \"datePublished\": \"2022-03-14T18:50:10.000Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"dateUpdated\": \"2025-04-23T18:54:19.052Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-4JP3-Q2QM-9FMW

Vulnerability from github – Published: 2022-03-14 21:55 – Updated: 2022-03-28 22:31

Summary

Improper Restriction of Rendered UI Layers or Frames in Sylius

Details

Impact

It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

Workarounds

Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.

<?php

// src/EventListener/XFrameOptionsSubscriber.php

namespace App\EventListener

final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        return [
            KernelEvents::RESPONSE => 'onKernelResponse',
        ];
    }

    public function onKernelResponse(ResponseEvent $event): void
    {
        if (!$this->isMainRequest($event)) {
            return;
        }

        $response = $event->getResponse();

        $response->headers->set('X-Frame-Options', 'sameorigin');
    }

    private function isMainRequest(ResponseEvent $event): bool
    {
        if (\method_exists($event, 'isMainRequest')) {
            return $event->isMainRequest();
        }

        return $event->isMasterRequest();
    }
}

And register it in the container:

# config/services.yaml
services:
    # ...
    App\EventListener\XFrameOptionsSubscriber:
        tags: ['kernel.event_subscriber']

For more information

If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1021"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-14T21:55:33Z",
    "nvd_published_at": "2022-03-14T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIt is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker\n\n### Patches\n\nThe issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.\n\n### Workarounds\n\nEvery response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app. \n\n```php\n\u003c?php\n\n// src/EventListener/XFrameOptionsSubscriber.php\n\nnamespace App\\EventListener\n\nfinal class XFrameOptionsSubscriber implements EventSubscriberInterface\n{\n    public static function getSubscribedEvents(): array\n    {\n        return [\n            KernelEvents::RESPONSE =\u003e \u0027onKernelResponse\u0027,\n        ];\n    }\n\n    public function onKernelResponse(ResponseEvent $event): void\n    {\n        if (!$this-\u003eisMainRequest($event)) {\n            return;\n        }\n\n        $response = $event-\u003egetResponse();\n\n        $response-\u003eheaders-\u003eset(\u0027X-Frame-Options\u0027, \u0027sameorigin\u0027);\n    }\n\n    private function isMainRequest(ResponseEvent $event): bool\n    {\n        if (\\method_exists($event, \u0027isMainRequest\u0027)) {\n            return $event-\u003eisMainRequest();\n        }\n\n        return $event-\u003eisMasterRequest();\n    }\n}\n\n```\n\nAnd register it in the container:\n\n```yaml\n# config/services.yaml\nservices:\n    # ...\n    App\\EventListener\\XFrameOptionsSubscriber:\n        tags: [\u0027kernel.event_subscriber\u0027]\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at [security@sylius.com](mailto:security@sylius.com)\n",
  "id": "GHSA-4jp3-q2qm-9fmw",
  "modified": "2022-03-28T22:31:17Z",
  "published": "2022-03-14T21:55:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24733"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
}

FKIE_CVE-2022-24733

Vulnerability from fkie_nvd - Published: 2022-03-14 19:15 - Updated: 2024-11-21 06:50

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw	Mitigation, Third Party Advisory

Impacted products

Vendor	Product	Version
sylius	sylius	*
sylius	sylius	*
sylius	sylius	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
              "versionEndExcluding": "1.9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
              "versionEndExcluding": "1.10.11",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
              "versionEndExcluding": "1.11.2",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
    },
    {
      "lang": "es",
      "value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible que una p\u00e1gina controlada por un atacante cargue el sitio web dentro de un iframe. Esto permitir\u00eda un ataque de clickjacking, en el que la p\u00e1gina del atacante superpone la interfaz de la aplicaci\u00f3n objetivo con una interfaz diferente proporcionada por el atacante. El problema ha sido corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\u00f3n disponible. Cada respuesta de la aplicaci\u00f3n debe tener un encabezado X-Frame-Options configurada como \"sameorigin\". Para conseguirlo, a\u00f1ada un nuevo \"subscriber\" en la aplicaci\u00f3n"
    }
  ],
  "id": "CVE-2022-24733",
  "lastModified": "2024-11-21T06:50:58.550",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-14T19:15:12.173",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1021"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-24733

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24733

Aliases

CVE-2022-24733

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24733",
    "description": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.",
    "id": "GSD-2022-24733"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24733"
      ],
      "details": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.",
      "id": "GSD-2022-24733",
      "modified": "2023-12-13T01:19:42.762592Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24733",
        "STATE": "PUBLIC",
        "TITLE": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Sylius",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.9.10"
                        },
                        {
                          "version_value": "\u003e= 1.10.0, \u003c 1.10.11"
                        },
                        {
                          "version_value": "\u003e= 1.11.0, \u003c 1.11.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Sylius"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
            "refsource": "CONFIRM",
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
          },
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
          },
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
          },
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-4jp3-q2qm-9fmw",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.9.10||\u003e=1.10.0,\u003c1.10.11||\u003e=1.11.0,\u003c1.11.2",
          "affected_versions": "All versions before 1.9.10, all versions starting from 1.10.0 before 1.10.11, all versions starting from 1.11.0 before 1.11.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1021",
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-03-22",
          "description": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.",
          "fixed_versions": [
            "1.9.10",
            "1.10.11",
            "1.11.2"
          ],
          "identifier": "CVE-2022-24733",
          "identifiers": [
            "CVE-2022-24733",
            "GHSA-4jp3-q2qm-9fmw"
          ],
          "not_impacted": "All versions starting from 1.9.10 before 1.10.0, all versions starting from 1.10.11 before 1.11.0, all versions starting from 1.11.2",
          "package_slug": "packagist/sylius/sylius",
          "pubdate": "2022-03-14",
          "solution": "Upgrade to versions 1.9.10, 1.10.11, 1.11.2 or above.",
          "title": "Improper Restriction of Rendered UI Layers or Frames",
          "urls": [
            "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24733",
            "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
            "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
            "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
            "https://github.com/advisories/GHSA-4jp3-q2qm-9fmw"
          ],
          "uuid": "37458656-e50b-460e-8165-d1bdcf81641f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.9.10",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.10.11",
                "versionStartIncluding": "1.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.11.2",
                "versionStartIncluding": "1.11.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24733"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-1021"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-03-22T17:32Z",
      "publishedDate": "2022-03-14T19:15Z"
    }
  }
}

CNVD-2022-22317

Vulnerability from cnvd - Published: 2022-03-24

Title

Sylius存在未明漏洞（CNVD-2022-22317）

Description

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。 Sylius存在安全漏洞，该漏洞源于攻击者控制的页面可能会在 iframe 中加载网站。这将启用点击劫持攻击，攻击者可利用该漏洞提供不同界面覆盖目标应用程序的界面。

Severity

中

Patch Name

Sylius存在未明漏洞（CNVD-2022-22317）的补丁

Patch Description

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。 Sylius存在安全漏洞，该漏洞源于攻击者控制的页面可能会在 iframe 中加载网站。这将启用点击劫持攻击，攻击者可利用该漏洞提供不同界面覆盖目标应用程序的界面。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw

Reference

https://cxsecurity.com/cveshow/CVE-2022-24733/

Impacted products

Name
['sylius Sylius <1.9.10', 'sylius Sylius >=1.10.0，<1.10.11', 'sylius Sylius >=1.11.0，<1.11.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24733"
    }
  },
  "description": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\n\nSylius\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u653b\u51fb\u8005\u63a7\u5236\u7684\u9875\u9762\u53ef\u80fd\u4f1a\u5728 iframe \u4e2d\u52a0\u8f7d\u7f51\u7ad9\u3002\u8fd9\u5c06\u542f\u7528\u70b9\u51fb\u52ab\u6301\u653b\u51fb\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4f9b\u4e0d\u540c\u754c\u9762\u8986\u76d6\u76ee\u6807\u5e94\u7528\u7a0b\u5e8f\u7684\u754c\u9762\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-22317",
  "openTime": "2022-03-24",
  "patchDescription": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nSylius\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u653b\u51fb\u8005\u63a7\u5236\u7684\u9875\u9762\u53ef\u80fd\u4f1a\u5728 iframe \u4e2d\u52a0\u8f7d\u7f51\u7ad9\u3002\u8fd9\u5c06\u542f\u7528\u70b9\u51fb\u52ab\u6301\u653b\u51fb\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4f9b\u4e0d\u540c\u754c\u9762\u8986\u76d6\u76ee\u6807\u5e94\u7528\u7a0b\u5e8f\u7684\u754c\u9762\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sylius\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-22317\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "sylius Sylius \u003c1.9.10",
      "sylius Sylius \u003e=1.10.0\uff0c\u003c1.10.11",
      "sylius Sylius \u003e=1.11.0\uff0c\u003c1.11.2"
    ]
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-24733/",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-16",
  "title": "Sylius\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-22317\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24733 (GCVE-0-2022-24733)

GHSA-4JP3-Q2QM-9FMW

Impact

Patches

Workarounds

For more information

FKIE_CVE-2022-24733

GSD-2022-24733

CNVD-2022-22317

Tags

Sightings

Nomenclature