XSS injection in the Grid component of Sylius

2020-04-1521:07:59

Google

osv.dev

0.001 Low

EPSS

Percentile

22.7%

JSON

Grid component of Sylius omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.

CPENameOperatorVersion
sylius/grideq1.2.10
sylius/grid-bundleeq1.1.7
sylius/syliuseq1.3.5
sylius/syliuseq1.1.13
sylius/grid-bundleeq1.2.10
sylius/grideq1.0.14
sylius/syliuseq1.0.11
sylius/syliuseq1.1.5
sylius/grid-bundleeq1.0.14
sylius/grideq1.0.12

Name	Operator	Version
sylius/grid	eq	1.2.10
sylius/grid-bundle	eq	1.1.7
sylius/sylius	eq	1.3.5
sylius/sylius	eq	1.1.13
sylius/grid-bundle	eq	1.2.10
sylius/grid	eq	1.0.14
sylius/sylius	eq	1.0.11
sylius/sylius	eq	1.1.5
sylius/grid-bundle	eq	1.0.14
sylius/grid	eq	1.0.12