References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12

https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r

GitHub, Inc. AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12

GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

GitHub, Inc. CWE-79

GitHub, Inc. https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12 [No types assigned]

GitHub, Inc. https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r [No types assigned]