GHSA-65V7-WG35-2QPM
Vulnerability from github – Published: 2024-05-29 18:50 – Updated: 2024-05-29 18:50
VLAI
Summary
Sylius Resource Bundle Cross-Site Request Forgery vulnerability
Details
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.
This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.
Description
The following actions in the admin panel did not require a CSRF token:
- marking order’s payment as completed
- marking order’s payment as refunded
- marking product review as accepted
- marking product review as rejected
Resolution
The issue is fixed by adding a required CSRF token to those actions.
We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-29T18:50:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.\n\nThis issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.\n\n### Description\n\nThe following actions in the admin panel did not require a CSRF token:\n\n- marking order\u2019s payment as completed\n- marking order\u2019s payment as refunded\n- marking product review as accepted\n- marking product review as rejected\n\n### Resolution\n\nThe issue is fixed by adding a required CSRF token to those actions.\n\nWe also fixed `ResourceController`\u2018s `applyStateMachineTransitionAction` method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding `csrf_protection:` false to its routing configuration",
"id": "GHSA-65v7-wg35-2qpm",
"modified": "2024-05-29T18:50:22Z",
"published": "2024-05-29T18:50:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/SyliusResourceBundle/commit/9720ac5a0a39ea2c2a395ef16a94a00aa86c418b"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/2018-07-09.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/SyliusResourceBundle"
},
{
"type": "WEB",
"url": "https://sylius.com/blog/csrf-vulnerability-in-admin-panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sylius Resource Bundle Cross-Site Request Forgery vulnerability"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…