Improper Neutralization of Special Elements in Data Query Logic

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the order query parameter in API filters. An attacker can access sensitive information from the databas...

GHSA-MX4Q-XXC9-PF5Q Sylius Vulnerable to Authenticated Stored XSS

Impact An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The breadcrumbs macro uses the Twig |raw filter on...

Sylius 安全漏洞

Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. There is a security vulnerability in Sylius. This vulnerability stems from the fact that the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter API filters directly pa...

Sylius 安全漏洞

Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. There is a security vulnerability in Sylius, which stems from a race condition between the check time and the use time during the enforcement of promotional usage restrictions. Thi...

EUVD-2019-0773

Malware in sbrugna...

EUVD-2020-0273

Malware in sbrugna...

EUVD-2024-53645

Malicious code in bioql PyPI...

CVE-2024-29376

Sylius 1.12.13 is vulnerable to Cross Site Scripting XSS via the "Province" field in Address Book...

CVE-2024-40633

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve ord...

CVE-2020-5218

Affected versions of Sylius give attackers the ability to switch channels via the channelcode GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no syliuschannel.debug is set explicitly in the configuration, the default value...

CVE-2024-57610

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intende...

Cross-site Scripting (XSS)

sylius/sylius is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of uploaded SVG files, allowing attackers to inject malicious scripts that execute in the user's browser context...

Duplicate Advisory: Sylius Cross Site Scripting (XSS) vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7prj-9ccr-hr3q. This link is maintained to preserve external references. Original Description Sylius 1.12.13 is vulnerable to Cross Site Scripting XSS via the "Province" field in Address Book...

PT-2024-22871

Name of the Vulnerable Software and Affected Versions: Sylius versions 1.12.13 through 1.12.15 Sylius versions prior to 1.13.1 Description: The issue is related to Cross Site Scripting XSS via the "Province" field in Address Book. There is a possibility to save XSS code in the province field in t...

Sylius Unauthorized Access Vulnerability

Sylius is a Polish company Sylius set of open source e-commerce platform based on the Symfony framework . A security vulnerability exists in Sylius versions prior to 1.9.5 and 1.10.0-RC, which stems from the fact that some of the details of an order placed in Sylius order ID, order number, total...

CVE-2020-5218 Ability in Sylius to switch channels via GET parameter enabled in production environments

Affected versions of Sylius give attackers the ability to switch channels via the channelcode GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no syliuschannel.debug is set explicitly in the configuration, the default value...