Sylius Admin Bundle Cross-Site Request Forgery vulnerability

2024-05-2918:50:26

GitHub Advisory Database

github.com

sylius

adminbundle

resourcebundle

cross-site request forgery

csrf

vulnerability

security

update

patch

api

AI Score

6.9

Confidence

Low

JSON

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

marking order’s payment as completed
marking order’s payment as refunded
marking product review as accepted
marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

Affected configurations

Vulners

Node

syliuspaypalRange1.2.0–1.2.2sylius

syliuspaypalRange1.1.0–1.1.9sylius

syliuspaypalRange1.0.0–1.0.17sylius

VendorProductVersionCPE
syliuspaypal*cpe:2.3:a:sylius:paypal:*:*:*:*:*:sylius:*:*

Vendor	Product	Version	CPE
sylius	paypal	*	cpe:2.3:a:sylius:paypal::::::sylius::*

References

github.com/advisories/GHSA-945h-6vcv-pc8h

github.com/FriendsOfPHP/security-advisories/blob/master/sylius/admin-bundle/2018-07-09.yaml

github.com/Sylius/SyliusAdminBundle/commit/79c2d963bed61411b1eef15715a74d2d96b91884

sylius.com/blog/csrf-vulnerability-in-admin-panel

AI Score

6.9

Confidence

Low

JSON