GHSA-4JP3-Q2QM-9FMW
Vulnerability from github – Published: 2022-03-14 21:55 – Updated: 2022-03-28 22:31
VLAI?
Summary
Improper Restriction of Rendered UI Layers or Frames in Sylius
Details
Impact
It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker
Patches
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
Workarounds
Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.
<?php
// src/EventListener/XFrameOptionsSubscriber.php
namespace App\EventListener
final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
public function onKernelResponse(ResponseEvent $event): void
{
if (!$this->isMainRequest($event)) {
return;
}
$response = $event->getResponse();
$response->headers->set('X-Frame-Options', 'sameorigin');
}
private function isMainRequest(ResponseEvent $event): bool
{
if (\method_exists($event, 'isMainRequest')) {
return $event->isMainRequest();
}
return $event->isMasterRequest();
}
}
And register it in the container:
# config/services.yaml
services:
# ...
App\EventListener\XFrameOptionsSubscriber:
tags: ['kernel.event_subscriber']
For more information
If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24733"
],
"database_specific": {
"cwe_ids": [
"CWE-1021"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-14T21:55:33Z",
"nvd_published_at": "2022-03-14T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIt is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker\u0027s page overlays the target application\u0027s interface with a different interface provided by the attacker\n\n### Patches\n\nThe issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.\n\n### Workarounds\n\nEvery response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app. \n\n```php\n\u003c?php\n\n// src/EventListener/XFrameOptionsSubscriber.php\n\nnamespace App\\EventListener\n\nfinal class XFrameOptionsSubscriber implements EventSubscriberInterface\n{\n public static function getSubscribedEvents(): array\n {\n return [\n KernelEvents::RESPONSE =\u003e \u0027onKernelResponse\u0027,\n ];\n }\n\n public function onKernelResponse(ResponseEvent $event): void\n {\n if (!$this-\u003eisMainRequest($event)) {\n return;\n }\n\n $response = $event-\u003egetResponse();\n\n $response-\u003eheaders-\u003eset(\u0027X-Frame-Options\u0027, \u0027sameorigin\u0027);\n }\n\n private function isMainRequest(ResponseEvent $event): bool\n {\n if (\\method_exists($event, \u0027isMainRequest\u0027)) {\n return $event-\u003eisMainRequest();\n }\n\n return $event-\u003eisMasterRequest();\n }\n}\n\n```\n\nAnd register it in the container:\n\n```yaml\n# config/services.yaml\nservices:\n # ...\n App\\EventListener\\XFrameOptionsSubscriber:\n tags: [\u0027kernel.event_subscriber\u0027]\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at [security@sylius.com](mailto:security@sylius.com)\n",
"id": "GHSA-4jp3-q2qm-9fmw",
"modified": "2022-03-28T22:31:17Z",
"published": "2022-03-14T21:55:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24733"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of Rendered UI Layers or Frames in Sylius"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…