cvelistv5 - cve-2022-24749

CVE-2022-24749 (GCVE-0-2022-24749)

Vulnerability from cvelistv5

Published

2022-03-14 21:45

Modified

2025-04-22 18:18

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-434 - Unrestricted Upload of File with Dangerous Type

Summary

Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.

References

URL	Tags
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Version: < 1.9.10 Version: >= 1.10.0, < 1.10.11 Version: >= 1.11.0, < 1.11.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.445Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24749",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:49:14.780831Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T18:18:36.653Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.10.0, \u003c 1.10.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.11.0, \u003c 1.11.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-14T21:45:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
        }
      ],
      "source": {
        "advisory": "GHSA-4qrp-27r3-66fj",
        "discovery": "UNKNOWN"
      },
      "title": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24749",
          "STATE": "PUBLIC",
          "TITLE": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Sylius",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.9.10"
                          },
                          {
                            "version_value": "\u003e= 1.10.0, \u003c 1.10.11"
                          },
                          {
                            "version_value": "\u003e= 1.11.0, \u003c 1.11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Sylius"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
              "refsource": "MISC",
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
            },
            {
              "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
              "refsource": "CONFIRM",
              "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-4qrp-27r3-66fj",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24749",
    "datePublished": "2022-03-14T21:45:13.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-22T18:18:36.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24749\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-03-14T22:15:07.610\",\"lastModified\":\"2024-11-21T06:51:00.700\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.\"},{\"lang\":\"es\",\"value\":\"Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible cargar un archivo SVG que contenga c\u00f3digo de tipo cross-site scripting (XSS) en el panel de administraci\u00f3n. Para llevar a cabo un ataque de tipo XSS, el propio archivo tiene que abrirse en una nueva tarjeta o cargarse fuera de la etiqueta IMG. El problema es aplicado tanto a los archivos abiertos en el panel de administraci\u00f3n como a las p\u00e1ginas de la tienda. El problema est\u00e1 corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Como medida de mitigaci\u00f3n, requiera una biblioteca que a\u00f1ada saneo de archivos al cargar y sobrescriba el servicio antes de escribir el archivo en el sistema de archivos. El aviso de seguridad de GitHub contiene informaci\u00f3n m\u00e1s espec\u00edfica sobre la mitigaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.10\",\"matchCriteriaId\":\"E2B404E6-8985-428A-A7C4-880A4947766B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.0\",\"versionEndExcluding\":\"1.10.11\",\"matchCriteriaId\":\"687E9BB6-A926-4A62-B44E-7A1B236D6C6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.11.0\",\"versionEndExcluding\":\"1.11.2\",\"matchCriteriaId\":\"D4D032BB-B314-42A5-808D-5861B909F76F\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:20:50.445Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24749\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:49:14.780831Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:49:16.289Z\"}}], \"cna\": {\"title\": \"Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius\", \"source\": {\"advisory\": \"GHSA-4qrp-27r3-66fj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Sylius\", \"product\": \"Sylius\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.10.0, \u003c 1.10.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.11.0, \u003c 1.11.2\"}]}], \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-03-14T21:45:12.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, \"source\": {\"advisory\": \"GHSA-4qrp-27r3-66fj\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 1.9.10\"}, {\"version_value\": \"\u003e= 1.10.0, \u003c 1.10.11\"}, {\"version_value\": \"\u003e= 1.11.0, \u003c 1.11.2\"}]}, \"product_name\": \"Sylius\"}]}, \"vendor_name\": \"Sylius\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.10.11\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.11.2\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"name\": \"https://github.com/Sylius/Sylius/releases/tag/v1.9.10\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\", \"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-24749\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-24749\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T18:18:36.653Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-03-14T21:45:13.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-4qrp-27r3-66fj

Vulnerability from github

Published

2022-03-14 22:38

Modified

2022-03-18 15:22

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius

Details

Impact

There is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be opened in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages.

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

Workarounds

If there is a need to upload an SVG image type, on-upload sanitization has to be added. The way to achieve this is to require a library that will do the trick:

composer require enshrined/svg-sanitize

The second step is all about performing a file content sanitization before writing it to the filesystem. It can be done by overwriting the service:

```php <?php

declare(strict_types=1);

namespace App\Uploader;

use enshrined\svgSanitize\Sanitizer; use Gaufrette\Filesystem; use Sylius\Component\Core\Generator\ImagePathGeneratorInterface; use Sylius\Component\Core\Generator\UploadedImagePathGenerator; use Sylius\Component\Core\Model\ImageInterface; use Sylius\Component\Core\Uploader\ImageUploaderInterface; use Symfony\Component\HttpFoundation\File\File; use Webmozart\Assert\Assert;

final class ImageUploader implements ImageUploaderInterface { private const MIME_SVG_XML = 'image/svg+xml'; private const MIME_SVG = 'image/svg';

/** @var Filesystem */
protected $filesystem;

/** @var ImagePathGeneratorInterface */
protected $imagePathGenerator;

/** @var Sanitizer */
protected $sanitizer;

public function __construct(
    Filesystem $filesystem,
    ?ImagePathGeneratorInterface $imagePathGenerator = null
) {
    $this->filesystem = $filesystem;

    if ($imagePathGenerator === null) {
        @trigger_error(sprintf(
            'Not passing an $imagePathGenerator to %s constructor is deprecated since Sylius 1.6 and will be not possible in Sylius 2.0.', self::class
        ), \E_USER_DEPRECATED);
    }

    $this->imagePathGenerator = $imagePathGenerator ?? new UploadedImagePathGenerator();
    $this->sanitizer = new Sanitizer();
}

public function upload(ImageInterface $image): void
{
    if (!$image->hasFile()) {
        return;
    }

    /** @var File $file */
    $file = $image->getFile();

    Assert::isInstanceOf($file, File::class);

    $fileContent = $this->sanitizeContent(file_get_contents($file->getPathname()), $file->getMimeType());

    if (null !== $image->getPath() && $this->has($image->getPath())) {
        $this->remove($image->getPath());
    }

    do {
        $path = $this->imagePathGenerator->generate($image);
    } while ($this->isAdBlockingProne($path) || $this->filesystem->has($path));

    $image->setPath($path);

    $this->filesystem->write($image->getPath(), $fileContent);
}

public function remove(string $path): bool
{
    if ($this->filesystem->has($path)) {
        return $this->filesystem->delete($path);
    }

    return false;
}

protected function sanitizeContent(string $fileContent, string $mimeType): string
{
    if (self::MIME_SVG_XML === $mimeType || self::MIME_SVG === $mimeType) {
        $fileContent = $this->sanitizer->sanitize($fileContent);
    }

    return $fileContent;
}

private function has(string $path): bool
{
    return $this->filesystem->has($path);
}

/**
 * Will return true if the path is prone to be blocked by ad blockers
 */
private function isAdBlockingProne(string $path): bool
{
    return strpos($path, 'ad') !== false;
}

} ```

After that, register service in the container:

yaml services: sylius.image_uploader: class: App\Uploader\ImageUploader arguments: - '@gaufrette.sylius_image_filesystem' - '@Sylius\Component\Core\Generator\ImagePathGeneratorInterface'

For more information

If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-14T22:38:14Z",
    "nvd_published_at": "2022-03-14T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThere is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be opened in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages.\n\n### Patches\nThe issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.\n\n### Workarounds\nIf there is a need to upload an SVG image type, on-upload sanitization has to be added. The way to achieve this is to require a library that will do the trick:\n\n```\ncomposer require enshrined/svg-sanitize\n```\n\nThe second step is all about performing a file content sanitization before writing it to the filesystem. It can be done by overwriting the service:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Uploader;\n\nuse enshrined\\svgSanitize\\Sanitizer;\nuse Gaufrette\\Filesystem;\nuse Sylius\\Component\\Core\\Generator\\ImagePathGeneratorInterface;\nuse Sylius\\Component\\Core\\Generator\\UploadedImagePathGenerator;\nuse Sylius\\Component\\Core\\Model\\ImageInterface;\nuse Sylius\\Component\\Core\\Uploader\\ImageUploaderInterface;\nuse Symfony\\Component\\HttpFoundation\\File\\File;\nuse Webmozart\\Assert\\Assert;\n\nfinal class ImageUploader implements ImageUploaderInterface\n{\n    private const MIME_SVG_XML = \u0027image/svg+xml\u0027;\n    private const MIME_SVG = \u0027image/svg\u0027;\n\n    /** @var Filesystem */\n    protected $filesystem;\n\n    /** @var ImagePathGeneratorInterface */\n    protected $imagePathGenerator;\n\n    /** @var Sanitizer */\n    protected $sanitizer;\n\n    public function __construct(\n        Filesystem $filesystem,\n        ?ImagePathGeneratorInterface $imagePathGenerator = null\n    ) {\n        $this-\u003efilesystem = $filesystem;\n\n        if ($imagePathGenerator === null) {\n            @trigger_error(sprintf(\n                \u0027Not passing an $imagePathGenerator to %s constructor is deprecated since Sylius 1.6 and will be not possible in Sylius 2.0.\u0027, self::class\n            ), \\E_USER_DEPRECATED);\n        }\n\n        $this-\u003eimagePathGenerator = $imagePathGenerator ?? new UploadedImagePathGenerator();\n        $this-\u003esanitizer = new Sanitizer();\n    }\n\n    public function upload(ImageInterface $image): void\n    {\n        if (!$image-\u003ehasFile()) {\n            return;\n        }\n\n        /** @var File $file */\n        $file = $image-\u003egetFile();\n\n        Assert::isInstanceOf($file, File::class);\n\n        $fileContent = $this-\u003esanitizeContent(file_get_contents($file-\u003egetPathname()), $file-\u003egetMimeType());\n\n        if (null !== $image-\u003egetPath() \u0026\u0026 $this-\u003ehas($image-\u003egetPath())) {\n            $this-\u003eremove($image-\u003egetPath());\n        }\n\n        do {\n            $path = $this-\u003eimagePathGenerator-\u003egenerate($image);\n        } while ($this-\u003eisAdBlockingProne($path) || $this-\u003efilesystem-\u003ehas($path));\n\n        $image-\u003esetPath($path);\n\n        $this-\u003efilesystem-\u003ewrite($image-\u003egetPath(), $fileContent);\n    }\n\n    public function remove(string $path): bool\n    {\n        if ($this-\u003efilesystem-\u003ehas($path)) {\n            return $this-\u003efilesystem-\u003edelete($path);\n        }\n\n        return false;\n    }\n\n    protected function sanitizeContent(string $fileContent, string $mimeType): string\n    {\n        if (self::MIME_SVG_XML === $mimeType || self::MIME_SVG === $mimeType) {\n            $fileContent = $this-\u003esanitizer-\u003esanitize($fileContent);\n        }\n\n        return $fileContent;\n    }\n\n    private function has(string $path): bool\n    {\n        return $this-\u003efilesystem-\u003ehas($path);\n    }\n\n    /**\n     * Will return true if the path is prone to be blocked by ad blockers\n     */\n    private function isAdBlockingProne(string $path): bool\n    {\n        return strpos($path, \u0027ad\u0027) !== false;\n    }\n}\n```\n\nAfter that, register service in the container:\n\n```yaml\nservices:\n    sylius.image_uploader:\n        class: App\\Uploader\\ImageUploader\n        arguments:\n            - \u0027@gaufrette.sylius_image_filesystem\u0027\n            - \u0027@Sylius\\Component\\Core\\Generator\\ImagePathGeneratorInterface\u0027\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com\n",
  "id": "GHSA-4qrp-27r3-66fj",
  "modified": "2022-03-18T15:22:18Z",
  "published": "2022-03-14T22:38:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24749"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper sanitize of SVG files during content upload (\u0027Cross-site Scripting\u0027) in sylius/sylius"
}

cnvd-2022-20526

Vulnerability from cnvd

Title: Sylius跨站脚本漏洞（CNVD-2022-20526）

Description:

Sylius是一个开源电子商务平台。

Sylius存在跨站脚本漏洞，攻击者可利用该漏洞在管理面板中上传包含XSS代码的SVG文件，从而获取用户cookie以及构造钓鱼攻击。

Severity: 中

Patch Name: Sylius跨站脚本漏洞（CNVD-2022-20526）的补丁

Patch Description:

Sylius是一个开源电子商务平台。

Sylius存在跨站脚本漏洞，攻击者可利用该漏洞在管理面板中上传包含XSS代码的SVG文件，从而获取用户cookie以及构造钓鱼攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-24749

Impacted products

Name
['sylius Sylius <1.9.10', 'sylius Sylius <1.10.11', 'sylius Sylius <1.11.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24749",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24749"
    }
  },
  "description": "Sylius\u662f\u4e00\u4e2a\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\n\nSylius\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7ba1\u7406\u9762\u677f\u4e2d\u4e0a\u4f20\u5305\u542bXSS\u4ee3\u7801\u7684SVG\u6587\u4ef6\uff0c\u4ece\u800c\u83b7\u53d6\u7528\u6237cookie\u4ee5\u53ca\u6784\u9020\u9493\u9c7c\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-20526",
  "openTime": "2022-03-18",
  "patchDescription": "Sylius\u662f\u4e00\u4e2a\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nSylius\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7ba1\u7406\u9762\u677f\u4e2d\u4e0a\u4f20\u5305\u542bXSS\u4ee3\u7801\u7684SVG\u6587\u4ef6\uff0c\u4ece\u800c\u83b7\u53d6\u7528\u6237cookie\u4ee5\u53ca\u6784\u9020\u9493\u9c7c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sylius\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-20526\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "sylius Sylius \u003c1.9.10",
      "sylius Sylius \u003c1.10.11",
      "sylius Sylius \u003c1.11.2"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24749",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-15",
  "title": "Sylius\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-20526\uff09"
}

gsd-2022-24749

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-24749

Aliases

CVE-2022-24749

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24749",
    "description": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.",
    "id": "GSD-2022-24749"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24749"
      ],
      "details": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.",
      "id": "GSD-2022-24749",
      "modified": "2023-12-13T01:19:42.643549Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24749",
        "STATE": "PUBLIC",
        "TITLE": "Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Sylius",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.9.10"
                        },
                        {
                          "version_value": "\u003e= 1.10.0, \u003c 1.10.11"
                        },
                        {
                          "version_value": "\u003e= 1.11.0, \u003c 1.11.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Sylius"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
          },
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
          },
          {
            "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
            "refsource": "MISC",
            "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
          },
          {
            "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
            "refsource": "CONFIRM",
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-4qrp-27r3-66fj",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.9.10||\u003e=1.10.0,\u003c1.10.11||\u003e=1.11.0,\u003c1.11.2",
          "affected_versions": "All versions before 1.9.10, all versions starting from 1.10.0 before 1.10.11, all versions starting from 1.11.0 before 1.11.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-434",
            "CWE-79",
            "CWE-80",
            "CWE-937"
          ],
          "date": "2022-03-18",
          "description": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.",
          "fixed_versions": [
            "1.9.10",
            "1.10.11",
            "1.11.2"
          ],
          "identifier": "CVE-2022-24749",
          "identifiers": [
            "GHSA-4qrp-27r3-66fj",
            "CVE-2022-24749"
          ],
          "not_impacted": "All versions starting from 1.9.10 before 1.10.0, all versions starting from 1.10.11 before 1.11.0, all versions starting from 1.11.2",
          "package_slug": "packagist/sylius/sylius",
          "pubdate": "2022-03-14",
          "solution": "Upgrade to versions 1.9.10, 1.10.11, 1.11.2 or above.",
          "title": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
          "urls": [
            "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
            "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
            "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
            "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24749",
            "https://github.com/advisories/GHSA-4qrp-27r3-66fj"
          ],
          "uuid": "3ca33497-90a5-49d7-925c-bf40d15f0062"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.9.10",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.10.11",
                "versionStartIncluding": "1.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.11.2",
                "versionStartIncluding": "1.11.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24749"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
            },
            {
              "name": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-03-22T15:08Z",
      "publishedDate": "2022-03-14T22:15Z"
    }
  }
}

fkie_cve-2022-24749

Vulnerability from fkie_nvd

Published

2022-03-14 22:15

Modified

2024-11-21 06:51

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Third Party Advisory
security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.10.11	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.11.2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/releases/tag/v1.9.10	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
sylius	sylius	*
sylius	sylius	*
sylius	sylius	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
              "versionEndExcluding": "1.9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
              "versionEndExcluding": "1.10.11",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
              "versionEndExcluding": "1.11.2",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround."
    },
    {
      "lang": "es",
      "value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, es posible cargar un archivo SVG que contenga c\u00f3digo de tipo cross-site scripting (XSS) en el panel de administraci\u00f3n. Para llevar a cabo un ataque de tipo XSS, el propio archivo tiene que abrirse en una nueva tarjeta o cargarse fuera de la etiqueta IMG. El problema es aplicado tanto a los archivos abiertos en el panel de administraci\u00f3n como a las p\u00e1ginas de la tienda. El problema est\u00e1 corregido en versiones 1.9.10, 1.10.11 y 1.11.2. Como medida de mitigaci\u00f3n, requiera una biblioteca que a\u00f1ada saneo de archivos al cargar y sobrescriba el servicio antes de escribir el archivo en el sistema de archivos. El aviso de seguridad de GitHub contiene informaci\u00f3n m\u00e1s espec\u00edfica sobre la mitigaci\u00f3n"
    }
  ],
  "id": "CVE-2022-24749",
  "lastModified": "2024-11-21T06:51:00.700",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-14T22:15:07.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-4qrp-27r3-66fj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-80"
        },
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-24749 (GCVE-0-2022-24749)

Vulnerability from cvelistv5

ghsa-4qrp-27r3-66fj

Vulnerability from github

Impact

Patches

Workarounds

For more information

cnvd-2022-20526

Vulnerability from cnvd

gsd-2022-24749

Vulnerability from gsd

fkie_cve-2022-24749

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature