The vulnerability of the SyliusGridBundle e-commerce platform for Symfony applications, related to the lack of protection for SQL query structures, allows attackers to execute arbitrary SQL queries.

The vulnerability of the SyliusGridBundle e-commerce platform for Symfony applications is related to the lack of protective measures for SQL query structures. Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries remotely...

SQL Injection

sylius/grid-bundle is vulnerable to SQL Injection attacks. The library directly passes the values added at the end of query sorting to the database, allowing a malicious user to inject and execute arbitrary SQL queries on the system...

DQL injection through sorting parameters blocked

Impact Values added at the end of query sorting were passed directly to the DB. We don't know, if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway. Patches The issue is fixed in version 1.10.1 and in 1.11-rc.1 Workarounds You have to...

SyliusGridBundle SQL注入漏洞

SyliusGridBundle is an open source e-commerce solution built from decoupled components with a robust API and the highest quality code.A SQL injection vulnerability exists in SyliusGridBundle versions prior to 1.10.1 and prior to 1.11-rc2, which stems from the fact that values added at the end of ...

XSS injection in the Grid component of Sylius

Grid component of Sylius omits HTML input sanitisation while rendering object implementing toString method through the string field type...