Cross-Site Scripting Vulnerability in Sylius eCommerce Platform
CVE-2024-34349

4.8MEDIUM

Key Information:

Vendor: Sylius
Status: Sylius
Vendor: CVE Published:; 14 May 2024

Summary

Sylius, an open-source eCommerce platform, has a vulnerability that allows for the execution of JavaScript code within the Admin panel prior to versions 1.12.16 and 1.13.1. This security flaw potentially enables attackers to perform cross-site scripting (XSS) attacks by injecting scripts into the Name fields of entities such as Taxons, Products, Product Options, or Product Variants. The malicious code could be executed through an autocomplete feature in the Admin Panel or within the category tree of taxons on product forms. Users are advised to upgrade to the latest fixed versions to safeguard their platforms against such attacks. For further details, visit the official security advisory here and the commit information here.

Affected Version(s)

Sylius < 1.12.16 < 1.12.16

Sylius >= 1.13.0-alpha.1, < 1.13.1 < 1.13.0-alpha.1, 1.13.1

References

https://github.com/Sylius/Sylius/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 2, 2024