GHSA-7PRJ-9CCR-HR3Q

Vulnerability from github – Published: 2024-05-10 15:33 – Updated: 2024-05-10 15:33
VLAI?
Summary
Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
Details

Impact

There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

  1. Create new file assets/shop/sylius-province-field.js:
// assets/shop/sylius-province-field.js

function sanitizeInput(input) {
  const div = document.createElement('div');
  div.textContent = input;
  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}

const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
  return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};

$.fn.extend({
  provinceField() {
    const countrySelect = $('select[name$="[countryCode]"]');

    countrySelect.on('change', (event) => {
      const select = $(event.currentTarget);
      const provinceContainer = select.parents('.field').next('div.province-container');

      const provinceSelectFieldName = select.attr('name').replace('country', 'province');
      const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');

      const provinceSelectFieldId = select.attr('id').replace('country', 'province');
      const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');

      const form = select.parents('form');

      if (select.val() === '' || select.val() == undefined) {
        provinceContainer.fadeOut('slow', () => {
          provinceContainer.html('');
        });

        return;
      }

      provinceContainer.attr('data-loading', true);
      form.addClass('loading');

      $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {
        if (!response.content) {
          provinceContainer.fadeOut('slow', () => {
            provinceContainer.html('');

            provinceContainer.removeAttr('data-loading');
            form.removeClass('loading');
          });
        } else if (response.content.indexOf('select') !== -1) {
          provinceContainer.fadeOut('slow', () => {
            const provinceSelectValue = getProvinceInputValue((
              $(provinceContainer).find('select > option[selected$="selected"]').val()
            ));

            provinceContainer.html((
              response.content
                .replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`)
                .replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`)
                .replace('option value="" selected="selected"', 'option value=""')
                .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`)
            ));
            provinceContainer.addClass('required');
            provinceContainer.removeAttr('data-loading');

            provinceContainer.fadeIn('fast', () => {
              form.removeClass('loading');
            });
          });
        } else {
          provinceContainer.fadeOut('slow', () => {
            const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());

            provinceContainer.html((
              response.content
                .replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`)
                .replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`)
            ));

            provinceContainer.removeAttr('data-loading');

            provinceContainer.fadeIn('fast', () => {
              form.removeClass('loading');
            });
          });
        }
      });
    });

    if (countrySelect.val() !== '') {
      countrySelect.trigger('change');
    }

    if ($.trim($('div.province-container').text()) === '') {
      $('select.country-select').trigger('change');
    }

    const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]');
    const shippingAddressContainer = $('#sylius-shipping-address-container');
    const toggleShippingAddress = function toggleShippingAddress() {
      shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
    };
    toggleShippingAddress();
    shippingAddressCheckbox.on('change', toggleShippingAddress);
  },
});
  1. Add new import in assets/shop/entry.js:
// assets/shop/entry.js
// ...
import './sylius-province-field';
  1. Rebuild your assets:
yarn build

Acknowledgements

This security issue has been reported by @r2tunes, thank you!

References

  • The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c

For more information

If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0-alpha.1"
            },
            {
              "fixed": "1.12.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0-alpha.1"
            },
            {
              "fixed": "1.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-10T15:33:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThere is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.\n\n### Patches\nThe issue is fixed in versions: 1.12.16, 1.13.1 and above.\n\n### Workarounds\n\n1. Create new file `assets/shop/sylius-province-field.js`:\n\n```js\n// assets/shop/sylius-province-field.js\n\nfunction sanitizeInput(input) {\n  const div = document.createElement(\u0027div\u0027);\n  div.textContent = input;\n  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\nconst getProvinceInputValue = function getProvinceInputValue(valueSelector) {\n  return valueSelector == undefined ? \u0027\u0027 : `value=\"${sanitizeInput(valueSelector)}\"`;\n};\n\n$.fn.extend({\n  provinceField() {\n    const countrySelect = $(\u0027select[name$=\"[countryCode]\"]\u0027);\n\n    countrySelect.on(\u0027change\u0027, (event) =\u003e {\n      const select = $(event.currentTarget);\n      const provinceContainer = select.parents(\u0027.field\u0027).next(\u0027div.province-container\u0027);\n\n      const provinceSelectFieldName = select.attr(\u0027name\u0027).replace(\u0027country\u0027, \u0027province\u0027);\n      const provinceInputFieldName = select.attr(\u0027name\u0027).replace(\u0027countryCode\u0027, \u0027provinceName\u0027);\n\n      const provinceSelectFieldId = select.attr(\u0027id\u0027).replace(\u0027country\u0027, \u0027province\u0027);\n      const provinceInputFieldId = select.attr(\u0027id\u0027).replace(\u0027countryCode\u0027, \u0027provinceName\u0027);\n\n      const form = select.parents(\u0027form\u0027);\n\n      if (select.val() === \u0027\u0027 || select.val() == undefined) {\n        provinceContainer.fadeOut(\u0027slow\u0027, () =\u003e {\n          provinceContainer.html(\u0027\u0027);\n        });\n\n        return;\n      }\n\n      provinceContainer.attr(\u0027data-loading\u0027, true);\n      form.addClass(\u0027loading\u0027);\n\n      $.get(provinceContainer.attr(\u0027data-url\u0027), { countryCode: select.val() }, (response) =\u003e {\n        if (!response.content) {\n          provinceContainer.fadeOut(\u0027slow\u0027, () =\u003e {\n            provinceContainer.html(\u0027\u0027);\n\n            provinceContainer.removeAttr(\u0027data-loading\u0027);\n            form.removeClass(\u0027loading\u0027);\n          });\n        } else if (response.content.indexOf(\u0027select\u0027) !== -1) {\n          provinceContainer.fadeOut(\u0027slow\u0027, () =\u003e {\n            const provinceSelectValue = getProvinceInputValue((\n              $(provinceContainer).find(\u0027select \u003e option[selected$=\"selected\"]\u0027).val()\n            ));\n\n            provinceContainer.html((\n              response.content\n                .replace(\u0027name=\"sylius_address_province\"\u0027, `name=\"${provinceSelectFieldName}\"${provinceSelectValue}`)\n                .replace(\u0027id=\"sylius_address_province\"\u0027, `id=\"${provinceSelectFieldId}\"`)\n                .replace(\u0027option value=\"\" selected=\"selected\"\u0027, \u0027option value=\"\"\u0027)\n                .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}\" selected=\"selected\"`)\n            ));\n            provinceContainer.addClass(\u0027required\u0027);\n            provinceContainer.removeAttr(\u0027data-loading\u0027);\n\n            provinceContainer.fadeIn(\u0027fast\u0027, () =\u003e {\n              form.removeClass(\u0027loading\u0027);\n            });\n          });\n        } else {\n          provinceContainer.fadeOut(\u0027slow\u0027, () =\u003e {\n            const provinceInputValue = getProvinceInputValue($(provinceContainer).find(\u0027input\u0027).val());\n\n            provinceContainer.html((\n              response.content\n                .replace(\u0027name=\"sylius_address_province\"\u0027, `name=\"${provinceInputFieldName}\"${provinceInputValue}`)\n                .replace(\u0027id=\"sylius_address_province\"\u0027, `id=\"${provinceInputFieldId}\"`)\n            ));\n\n            provinceContainer.removeAttr(\u0027data-loading\u0027);\n\n            provinceContainer.fadeIn(\u0027fast\u0027, () =\u003e {\n              form.removeClass(\u0027loading\u0027);\n            });\n          });\n        }\n      });\n    });\n\n    if (countrySelect.val() !== \u0027\u0027) {\n      countrySelect.trigger(\u0027change\u0027);\n    }\n\n    if ($.trim($(\u0027div.province-container\u0027).text()) === \u0027\u0027) {\n      $(\u0027select.country-select\u0027).trigger(\u0027change\u0027);\n    }\n\n    const shippingAddressCheckbox = $(\u0027input[type=\"checkbox\"][name$=\"[differentShippingAddress]\"]\u0027);\n    const shippingAddressContainer = $(\u0027#sylius-shipping-address-container\u0027);\n    const toggleShippingAddress = function toggleShippingAddress() {\n      shippingAddressContainer.toggle(shippingAddressCheckbox.prop(\u0027checked\u0027));\n    };\n    toggleShippingAddress();\n    shippingAddressCheckbox.on(\u0027change\u0027, toggleShippingAddress);\n  },\n});\n```\n\n2. Add new import in `assets/shop/entry.js`:\n\n```js\n// assets/shop/entry.js\n// ...\nimport \u0027./sylius-province-field\u0027;\n```\n\n3. Rebuild your assets:\n\n```bash\nyarn build\n``` \n\n### Acknowledgements\n\nThis security issue has been reported by @r2tunes, thank you!\n\n### References\n\n- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com\n",
  "id": "GHSA-7prj-9ccr-hr3q",
  "modified": "2024-05-10T15:33:22Z",
  "published": "2024-05-10T15:33:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7prj-9ccr-hr3q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/commit/fb0ecb275747e364f1d4744ed8605c57f9bd8a80"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    },
    {
      "type": "WEB",
      "url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Sylius has potential Cross Site Scripting vulnerability via the \"Province\" field in the Checkout and Address Book"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.