Lucene search

GitHub_MCVELIST:CVE-2024-34349

HistoryMay 10, 2024 - 3:29 p.m.

CVE-2024-34349 Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

2024-05-1015:29:39

CWE-79

GitHub_M

www.cve.org

sylius

ecommerce

cross site scripting

admin panel

xss

name field

taxons

products

options

variants

security vulnerability

patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.

CNA Affected

[
  {
    "vendor": "Sylius",
    "product": "Sylius",
    "versions": [
      {
        "version": "< 1.12.16",
        "status": "affected"
      },
      {
        "version": ">= 1.13.0-alpha.1, < 1.13.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12

github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-34349