GHSA-65V7-WG35-2QPM

Vulnerability from github – Published: 2024-05-29 18:50 – Updated: 2024-05-29 18:50
VLAI
Summary
Sylius Resource Bundle Cross-Site Request Forgery vulnerability
Details

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T18:50:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.\n\nThis issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.\n\n### Description\n\nThe following actions in the admin panel did not require a CSRF token:\n\n- marking order\u2019s payment as completed\n- marking order\u2019s payment as refunded\n- marking product review as accepted\n- marking product review as rejected\n\n### Resolution\n\nThe issue is fixed by adding a required CSRF token to those actions.\n\nWe also fixed `ResourceController`\u2018s  `applyStateMachineTransitionAction` method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding `csrf_protection:` false to its routing configuration",
  "id": "GHSA-65v7-wg35-2qpm",
  "modified": "2024-05-29T18:50:22Z",
  "published": "2024-05-29T18:50:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/commit/9720ac5a0a39ea2c2a395ef16a94a00aa86c418b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/2018-07-09.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/SyliusResourceBundle"
    },
    {
      "type": "WEB",
      "url": "https://sylius.com/blog/csrf-vulnerability-in-admin-panel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sylius Resource Bundle Cross-Site Request Forgery vulnerability"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…