CVE-2024-40633 Customer data leak via adjustments API endpoint in Sylius

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve ord...

CVE-2024-40633 Customer data leak via adjustments API endpoint in Sylius

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve ord...

Sylius has a security vulnerability via adjustments API endpoint

Impact A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can...

GHSA-55RF-8Q29-4G43 Sylius has a security vulnerability via adjustments API endpoint

Impact A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can...

Cross-site Request Forgery (CSRF)

sylius/resource-bundle is vulnerable to a Cross-Site Request Forgery. The vulnerability is due to the absence of proper validation and insufficient CSRF protection for actions such as marking order payments or product reviews in the AdminBundle and ResourceBundle. This allowing attackers to perfo...

Cross-site Request Forgery (CSRF)

sylius/admin-bundle is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the absence of a CSRF token requirement in several administrative actions, such as marking orders payments as completed or refunded, and marking product reviews as accepted or rejected. This flaws...

GHSA-945H-6VCV-PC8H Sylius Admin Bundle Cross-Site Request Forgery vulnerability

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue. This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed. Description The following actions in the admi...

Sylius Admin Bundle Cross-Site Request Forgery vulnerability

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue. This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed. Description The following actions in the admi...

Sylius Resource Bundle Cross-Site Request Forgery vulnerability

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue. This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed. Description The following actions in the admi...

GHSA-65V7-WG35-2QPM Sylius Resource Bundle Cross-Site Request Forgery vulnerability

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue. This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed. Description The following actions in the admi...

CVE-2024-34349

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The co...

Sylius 跨站脚本漏洞

Sylius is an open source e-commerce platform based on the Symfony framework from the Polish company Sylius. A cross-site scripting vulnerability exists in Sylius versions 1.12.16 and prior to 1.13.1, which can be exploited to execute javascript code in the admin panel...

Cross-Site Scripting (XSS)

sylius/sylius is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization within autocomplete fields and the category tree in the Admin panel, which allows an attacker to insert arbitrary JavaScript into Name fields such as the Taxons, Products, Product...

Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book

Impact There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by...

GHSA-7PRJ-9CCR-HR3Q Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book

Impact There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by...

Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

Impact There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of t...

GHSA-V2F9-RV6W-VW8R Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

Impact There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of t...

CVE-2024-34349

CVE-2024-34349 affects Sylius: an XSS in the Admin panel allows script input in the Name field for resources such as Taxons, Products, Product Options, or Product Variants, via autocomplete fields and the category tree in the product form. Versions prior to 1.12.16 and 1.13.1 are vulnerable; the ...

CVE-2024-34349 Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The co...

CVE-2024-34349 Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The co...