Sylius Resource Bundle Cross-Site Request Forgery vulnerability

2024-05-2918:50:22

CWE-352

GitHub Advisory Database

github.com

sylius

cross-site request forgery

vulnerability

adminbundle

resourcebundle

fixed

csrf token

api context

6.9 Medium

AI Score

Confidence

Low

JSON

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

marking order’s payment as completed
marking order’s payment as refunded
marking product review as accepted
marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

Affected configurations

Vulners

Node

syliuspaypalRange<1.2.2sylius

syliuspaypalRange<1.1.9sylius

syliuspaypalRange<1.0.17sylius

CPENameOperatorVersion
sylius/resource-bundlelt1.2.2
sylius/resource-bundlelt1.1.9
sylius/resource-bundlelt1.0.17

Name	Operator	Version
sylius/resource-bundle	lt	1.2.2
sylius/resource-bundle	lt	1.1.9
sylius/resource-bundle	lt	1.0.17

References

github.com/advisories/GHSA-65v7-wg35-2qpm

github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/2018-07-09.yaml

github.com/Sylius/SyliusResourceBundle/commit/9720ac5a0a39ea2c2a395ef16a94a00aa86c418b

sylius.com/blog/csrf-vulnerability-in-admin-panel

6.9 Medium

AI Score

Confidence

Low

JSON