cvelistv5 - cve-2024-34349

CVE-2024-34349 (GCVE-0-2024-34349)

Vulnerability from cvelistv5

Published

2024-05-10 15:29

Modified

2024-08-02 02:51

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12
	security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Version: < 1.12.16 Version: >= 1.13.0-alpha.1, < 1.13.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34349",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-10T18:30:14.256886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:42:11.744Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:51:11.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
          },
          {
            "name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.12.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.13.0-alpha.1, \u003c 1.13.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-08T12:35:38.149Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
        },
        {
          "name": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
        }
      ],
      "source": {
        "advisory": "GHSA-v2f9-rv6w-vw8r",
        "discovery": "UNKNOWN"
      },
      "title": "Sylius potentially vulnerable to Cross Site Scripting via \"Name\" field (Taxons, Products, Options, Variants) in Admin Panel"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34349",
    "datePublished": "2024-05-10T15:29:39.791Z",
    "dateReserved": "2024-05-02T06:36:32.437Z",
    "dateUpdated": "2024-08-02T02:51:11.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34349\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-14T15:38:41.397\",\"lastModified\":\"2024-11-21T09:18:28.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.\"},{\"lang\":\"es\",\"value\":\"Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. Antes de 1.12.16 y 1.13.1, existe la posibilidad de ejecutar c\u00f3digo javascript en el panel de administraci\u00f3n. Para realizar un ataque XSS, ingrese un script en el campo Nombre en cu\u00e1l de los recursos: Taxones, Productos, Opciones de producto o Variantes de producto. El c\u00f3digo se ejecutar\u00e1 mientras se utiliza un campo de autocompletar con una de las entidades enumeradas en el Panel de administraci\u00f3n. Tambi\u00e9n para los taxones en el \u00e1rbol de categor\u00edas en el formulario del producto. El problema se solucion\u00f3 en las versiones: 1.12.16, 1.13.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\", \"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\", \"name\": \"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:51:11.424Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34349\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-10T18:30:14.256886Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-10T18:30:17.286Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Sylius potentially vulnerable to Cross Site Scripting via \\\"Name\\\" field (Taxons, Products, Options, Variants) in Admin Panel\", \"source\": {\"advisory\": \"GHSA-v2f9-rv6w-vw8r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Sylius\", \"product\": \"Sylius\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.12.16\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.13.0-alpha.1, \u003c 1.13.1\"}]}], \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\", \"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\", \"name\": \"https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-08T12:35:38.149Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34349\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:51:11.424Z\", \"dateReserved\": \"2024-05-02T06:36:32.437Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-10T15:29:39.791Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-v2f9-rv6w-vw8r

Vulnerability from github

Published

2024-05-10 15:33

Modified

2024-07-08 12:45

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel

Details

Impact

There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

Create new file assets/admin/sylius-lazy-choice-tree.js:

```js // assets/admin/sylius-lazy-choice-tree.js

function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts }

const createRootContainer = function createRootContainer() { return $(' '); };

const createLeafContainerElement = function createLeafContainerElement() { return $(' '); };

const createLeafIconElement = function createLeafIconElement() { return $(''); };

const createLeafTitleElement = function createLeafTitleElement() { return $(' '); };

const createLeafTitleSpan = function createLeafTitleSpan(displayName) { return $(<span style="margin-right: 5px; cursor: pointer;">${displayName}</span>); };

const createLeafContentElement = function createLeafContentElement() { return $(' '); };

$.fn.extend({ choiceTree(type, multiple, defaultLevel) { const tree = this; const loader = tree.find('.dimmer'); const loadedLeafs = []; const $input = tree.find('input[type="hidden"]');

const createCheckboxElement = function createCheckboxElement(name, code, multi) {
  const chosenNodes = $input.val().split(',');
  let checked = '';
  if (chosenNodes.some(chosenCode => chosenCode === code)) {
    checked = 'checked="checked"';
  }
  if (multi) {
    return $(`<div class="ui checkbox" data-value="${code}"><input ${checked} type="checkbox" name="${type}"></div>`);
  }

  return $(`<div class="ui radio checkbox" data-value="${code}"><input ${checked} type="radio" name="${type}"></div>`);
};

const isLeafLoaded = function isLeafLoaded(code) {
  return loadedLeafs.some(leafCode => leafCode === code);
};

let createLeafFunc;

const loadLeafAction = function loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement) {
  icon.toggleClass('open');

  if (!isLeafLoaded(parentCode)) {
    expandButton.api({
      on: 'now',
      url: tree.data('tree-leafs-url') || tree.data('taxon-leafs-url'),
      method: 'GET',
      cache: false,
      data: {
        parentCode,
      },
      beforeSend(settings) {
        loader.addClass('active');

        return settings;
      },
      onSuccess(response) {
        response.forEach((leafNode) => {
          leafContainerElement.append((
            createLeafFunc(sanitizeInput(leafNode.name), leafNode.code, leafNode.hasChildren, multiple, leafNode.level)
          ));
        });
        content.append(leafContainerElement);
        loader.removeClass('active');
        loadedLeafs.push(parentCode);

        leafContainerElement.toggle();
      },
    });
  }

  leafContainerElement.toggle();
};

const bindExpandLeafAction = function bindExpandLeafAction(parentCode, expandButton, content, icon, level) {
  const leafContainerElement = createLeafContainerElement();
  if (defaultLevel > level) {
    loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
  }

  expandButton.click(() => {
    loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
  });
};

const bindCheckboxAction = function bindCheckboxAction(checkboxElement) {
  checkboxElement.checkbox({
    onChecked() {
      const { value } = checkboxElement[0].dataset;
      const checkedValues = $input.val().split(',').filter(Boolean);
      checkedValues.push(value);
      $input.val(checkedValues.join());
    },
    onUnchecked() {
      const { value } = checkboxElement[0].dataset;
      const checkedValues = $input.val().split(',').filter(Boolean);
      const i = checkedValues.indexOf(value);
      if (i !== -1) {
        checkedValues.splice(i, 1);
      }
      $input.val(checkedValues.join());
    },
  });
};

const createLeaf = function createLeaf(name, code, hasChildren, multipleChoice, level) {
  const displayNameElement = createLeafTitleSpan(name);
  const titleElement = createLeafTitleElement();
  const iconElement = createLeafIconElement();
  const checkboxElement = createCheckboxElement(name, code, multipleChoice);

  bindCheckboxAction(checkboxElement);

  const leafElement = $('<div class="item"></div>');
  const leafContentElement = createLeafContentElement();

  leafElement.append(iconElement);
  titleElement.append(displayNameElement);
  titleElement.append(checkboxElement);
  leafContentElement.append(titleElement);

  if (!hasChildren) {
    iconElement.addClass('outline');
  }
  if (hasChildren) {
    bindExpandLeafAction(code, displayNameElement, leafContentElement, iconElement, level);
  }
  leafElement.append(leafContentElement);

  return leafElement;
};
createLeafFunc = createLeaf;

tree.api({
  on: 'now',
  method: 'GET',
  url: tree.data('tree-root-nodes-url') || tree.data('taxon-root-nodes-url'),
  cache: false,
  beforeSend(settings) {
    loader.addClass('active');

    return settings;
  },
  onSuccess(response) {
    const rootContainer = createRootContainer();
    response.forEach((rootNode) => {
      rootContainer.append((
        createLeaf(sanitizeInput(rootNode.name), rootNode.code, rootNode.hasChildren, multiple, rootNode.level)
      ));
    });
    tree.append(rootContainer);
    loader.removeClass('active');
  },
});

}, }); ```

Create new file assets/admin/sylius-auto-complete.js:

```js // assets/admin/sylius-auto-complete.js

function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts }

$.fn.extend({ autoComplete() { this.each((idx, el) => { const element = $(el); const criteriaName = element.data('criteria-name'); const choiceName = element.data('choice-name'); const choiceValue = element.data('choice-value'); const autocompleteValue = element.find('input.autocomplete').val(); const loadForEditUrl = element.data('load-edit-url');

  element.dropdown({
    delay: {
      search: 250,
    },
    forceSelection: false,
    saveRemoteData: false,
    verbose: true,
    apiSettings: {
      dataType: 'JSON',
      cache: false,
      beforeSend(settings) {
        /* eslint-disable-next-line no-param-reassign */
        settings.data[criteriaName] = settings.urlData.query;

        return settings;
      },
      onResponse(response) {
        let results = response.map(item => ({
          name: sanitizeInput(item[choiceName]),
          value: sanitizeInput(item[choiceValue]),
        }));

        if (!element.hasClass('multiple')) {
          results.unshift({
            name: '&nbsp;',
            value: '',
          });
        }

        return {
          success: true,
          results: results,
        };
      },
    },
  });

  if (autocompleteValue.split(',').filter(String).length > 0) {
    const menuElement = element.find('div.menu');

    menuElement.api({
      on: 'now',
      method: 'GET',
      url: loadForEditUrl,
      beforeSend(settings) {
        /* eslint-disable-next-line no-param-reassign */
        settings.data[choiceValue] = autocompleteValue.split(',').filter(String);

        return settings;
      },
      onSuccess(response) {
        response.forEach((item) => {
          menuElement.append((
            $(`<div class="item" data-value="${item[choiceValue]}">${item[choiceName]}</div>`)
          ));
        });

        element.dropdown('refresh');
        element.dropdown('set selected', element.find('input.autocomplete').val().split(',').filter(String));
      },
    });
  }
});

}, }); ```

Create new file assets/admin/sylius-product-auto-complete.js:

```js // assets/admin/sylius-product-auto-complete.js

function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts }

$.fn.extend({ productAutoComplete() { this.each((index, element) => { const $element = $(element); $element.dropdown('set selected', $element.find('input[name*="[associations]"]').val().split(',').filter(String)); });

this.dropdown({
  delay: {
    search: 250,
  },
  forceSelection: false,
  apiSettings: {
    dataType: 'JSON',
    cache: false,
    data: {
      criteria: { search: { type: 'contains', value: '' } },
    },
    beforeSend(settings) {
      /* eslint-disable-next-line no-param-reassign */
      settings.data.criteria.search.value = settings.urlData.query;

      return settings;
    },
    onResponse(response) {
      return {
        success: true,
        results: response._embedded.items.map(item => ({
          name: sanitizeInput(item.name),
          value: sanitizeInput(item.code),
        })),
      };
    },
  },
  onAdd(addedValue, addedText, $addedChoice) {
    const inputAssociation = $addedChoice.parents('.product-select').find('input[name*="[associations]"]');
    const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];

    associatedProductCodes.push(addedValue);
    $.unique(associatedProductCodes.sort());

    inputAssociation.attr('value', associatedProductCodes.join());
  },
  onRemove(removedValue, removedText, $removedChoice) {
    const inputAssociation = $removedChoice.parents('.product-select').find('input[name*="[associations]"]');
    const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];

    associatedProductCodes.splice($.inArray(removedValue, associatedProductCodes), 1);

    inputAssociation.attr('value', associatedProductCodes.join());
  },
});

}, }); ```

Add new import in assets/admin/entry.js:

js // assets/admin/entry.js // ... import './sylius-lazy-choice-tree'; import './sylius-auto-complete'; import './sylius-product-auto-complete';

Rebuild your assets:

bash yarn build

Acknowledgements

This security issue has been reported by Checkmarx Research Group, thank you!

For more information

If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0-alpha.1"
            },
            {
              "fixed": "1.12.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0-alpha.1"
            },
            {
              "fixed": "1.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-10T15:33:01Z",
    "nvd_published_at": "2024-05-14T15:38:41Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThere is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into `Name` field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form. \n\n### Patches\nThe issue is fixed in versions: 1.12.16, 1.13.1 and above.\n\n### Workarounds\n\n1. Create new file `assets/admin/sylius-lazy-choice-tree.js`:\n\n```js\n// assets/admin/sylius-lazy-choice-tree.js\n\nfunction sanitizeInput(input) {\n  const div = document.createElement(\u0027div\u0027);\n  div.textContent = input;\n  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\nconst createRootContainer = function createRootContainer() {\n  return $(\u0027\u003cdiv class=\"ui list\"\u003e\u003c/div\u003e\u0027);\n};\n\nconst createLeafContainerElement = function createLeafContainerElement() {\n  return $(\u0027\u003cdiv class=\"list\"\u003e\u003c/div\u003e\u0027);\n};\n\nconst createLeafIconElement = function createLeafIconElement() {\n  return $(\u0027\u003ci class=\"folder icon\"\u003e\u003c/i\u003e\u0027);\n};\n\nconst createLeafTitleElement = function createLeafTitleElement() {\n  return $(\u0027\u003cdiv class=\"header\"\u003e\u003c/div\u003e\u0027);\n};\n\nconst createLeafTitleSpan = function createLeafTitleSpan(displayName) {\n  return $(`\u003cspan style=\"margin-right: 5px; cursor: pointer;\"\u003e${displayName}\u003c/span\u003e`);\n};\n\nconst createLeafContentElement = function createLeafContentElement() {\n  return $(\u0027\u003cdiv class=\"content\"\u003e\u003c/div\u003e\u0027);\n};\n\n$.fn.extend({\n  choiceTree(type, multiple, defaultLevel) {\n    const tree = this;\n    const loader = tree.find(\u0027.dimmer\u0027);\n    const loadedLeafs = [];\n    const $input = tree.find(\u0027input[type=\"hidden\"]\u0027);\n\n    const createCheckboxElement = function createCheckboxElement(name, code, multi) {\n      const chosenNodes = $input.val().split(\u0027,\u0027);\n      let checked = \u0027\u0027;\n      if (chosenNodes.some(chosenCode =\u003e chosenCode === code)) {\n        checked = \u0027checked=\"checked\"\u0027;\n      }\n      if (multi) {\n        return $(`\u003cdiv class=\"ui checkbox\" data-value=\"${code}\"\u003e\u003cinput ${checked} type=\"checkbox\" name=\"${type}\"\u003e\u003c/div\u003e`);\n      }\n\n      return $(`\u003cdiv class=\"ui radio checkbox\" data-value=\"${code}\"\u003e\u003cinput ${checked} type=\"radio\" name=\"${type}\"\u003e\u003c/div\u003e`);\n    };\n\n    const isLeafLoaded = function isLeafLoaded(code) {\n      return loadedLeafs.some(leafCode =\u003e leafCode === code);\n    };\n\n    let createLeafFunc;\n\n    const loadLeafAction = function loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement) {\n      icon.toggleClass(\u0027open\u0027);\n\n      if (!isLeafLoaded(parentCode)) {\n        expandButton.api({\n          on: \u0027now\u0027,\n          url: tree.data(\u0027tree-leafs-url\u0027) || tree.data(\u0027taxon-leafs-url\u0027),\n          method: \u0027GET\u0027,\n          cache: false,\n          data: {\n            parentCode,\n          },\n          beforeSend(settings) {\n            loader.addClass(\u0027active\u0027);\n\n            return settings;\n          },\n          onSuccess(response) {\n            response.forEach((leafNode) =\u003e {\n              leafContainerElement.append((\n                createLeafFunc(sanitizeInput(leafNode.name), leafNode.code, leafNode.hasChildren, multiple, leafNode.level)\n              ));\n            });\n            content.append(leafContainerElement);\n            loader.removeClass(\u0027active\u0027);\n            loadedLeafs.push(parentCode);\n\n            leafContainerElement.toggle();\n          },\n        });\n      }\n\n      leafContainerElement.toggle();\n    };\n\n    const bindExpandLeafAction = function bindExpandLeafAction(parentCode, expandButton, content, icon, level) {\n      const leafContainerElement = createLeafContainerElement();\n      if (defaultLevel \u003e level) {\n        loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);\n      }\n\n      expandButton.click(() =\u003e {\n        loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);\n      });\n    };\n\n    const bindCheckboxAction = function bindCheckboxAction(checkboxElement) {\n      checkboxElement.checkbox({\n        onChecked() {\n          const { value } = checkboxElement[0].dataset;\n          const checkedValues = $input.val().split(\u0027,\u0027).filter(Boolean);\n          checkedValues.push(value);\n          $input.val(checkedValues.join());\n        },\n        onUnchecked() {\n          const { value } = checkboxElement[0].dataset;\n          const checkedValues = $input.val().split(\u0027,\u0027).filter(Boolean);\n          const i = checkedValues.indexOf(value);\n          if (i !== -1) {\n            checkedValues.splice(i, 1);\n          }\n          $input.val(checkedValues.join());\n        },\n      });\n    };\n\n    const createLeaf = function createLeaf(name, code, hasChildren, multipleChoice, level) {\n      const displayNameElement = createLeafTitleSpan(name);\n      const titleElement = createLeafTitleElement();\n      const iconElement = createLeafIconElement();\n      const checkboxElement = createCheckboxElement(name, code, multipleChoice);\n\n      bindCheckboxAction(checkboxElement);\n\n      const leafElement = $(\u0027\u003cdiv class=\"item\"\u003e\u003c/div\u003e\u0027);\n      const leafContentElement = createLeafContentElement();\n\n      leafElement.append(iconElement);\n      titleElement.append(displayNameElement);\n      titleElement.append(checkboxElement);\n      leafContentElement.append(titleElement);\n\n      if (!hasChildren) {\n        iconElement.addClass(\u0027outline\u0027);\n      }\n      if (hasChildren) {\n        bindExpandLeafAction(code, displayNameElement, leafContentElement, iconElement, level);\n      }\n      leafElement.append(leafContentElement);\n\n      return leafElement;\n    };\n    createLeafFunc = createLeaf;\n\n    tree.api({\n      on: \u0027now\u0027,\n      method: \u0027GET\u0027,\n      url: tree.data(\u0027tree-root-nodes-url\u0027) || tree.data(\u0027taxon-root-nodes-url\u0027),\n      cache: false,\n      beforeSend(settings) {\n        loader.addClass(\u0027active\u0027);\n\n        return settings;\n      },\n      onSuccess(response) {\n        const rootContainer = createRootContainer();\n        response.forEach((rootNode) =\u003e {\n          rootContainer.append((\n            createLeaf(sanitizeInput(rootNode.name), rootNode.code, rootNode.hasChildren, multiple, rootNode.level)\n          ));\n        });\n        tree.append(rootContainer);\n        loader.removeClass(\u0027active\u0027);\n      },\n    });\n  },\n});\n```\n\n2. Create new file `assets/admin/sylius-auto-complete.js`:\n\n```js\n// assets/admin/sylius-auto-complete.js\n\nfunction sanitizeInput(input) {\n  const div = document.createElement(\u0027div\u0027);\n  div.textContent = input;\n  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\n$.fn.extend({\n  autoComplete() {\n    this.each((idx, el) =\u003e {\n      const element = $(el);\n      const criteriaName = element.data(\u0027criteria-name\u0027);\n      const choiceName = element.data(\u0027choice-name\u0027);\n      const choiceValue = element.data(\u0027choice-value\u0027);\n      const autocompleteValue = element.find(\u0027input.autocomplete\u0027).val();\n      const loadForEditUrl = element.data(\u0027load-edit-url\u0027);\n\n      element.dropdown({\n        delay: {\n          search: 250,\n        },\n        forceSelection: false,\n        saveRemoteData: false,\n        verbose: true,\n        apiSettings: {\n          dataType: \u0027JSON\u0027,\n          cache: false,\n          beforeSend(settings) {\n            /* eslint-disable-next-line no-param-reassign */\n            settings.data[criteriaName] = settings.urlData.query;\n\n            return settings;\n          },\n          onResponse(response) {\n            let results = response.map(item =\u003e ({\n              name: sanitizeInput(item[choiceName]),\n              value: sanitizeInput(item[choiceValue]),\n            }));\n\n            if (!element.hasClass(\u0027multiple\u0027)) {\n              results.unshift({\n                name: \u0027\u0026nbsp;\u0027,\n                value: \u0027\u0027,\n              });\n            }\n\n            return {\n              success: true,\n              results: results,\n            };\n          },\n        },\n      });\n\n      if (autocompleteValue.split(\u0027,\u0027).filter(String).length \u003e 0) {\n        const menuElement = element.find(\u0027div.menu\u0027);\n\n        menuElement.api({\n          on: \u0027now\u0027,\n          method: \u0027GET\u0027,\n          url: loadForEditUrl,\n          beforeSend(settings) {\n            /* eslint-disable-next-line no-param-reassign */\n            settings.data[choiceValue] = autocompleteValue.split(\u0027,\u0027).filter(String);\n\n            return settings;\n          },\n          onSuccess(response) {\n            response.forEach((item) =\u003e {\n              menuElement.append((\n                $(`\u003cdiv class=\"item\" data-value=\"${item[choiceValue]}\"\u003e${item[choiceName]}\u003c/div\u003e`)\n              ));\n            });\n\n            element.dropdown(\u0027refresh\u0027);\n            element.dropdown(\u0027set selected\u0027, element.find(\u0027input.autocomplete\u0027).val().split(\u0027,\u0027).filter(String));\n          },\n        });\n      }\n    });\n  },\n});\n```\n\n3. Create new file `assets/admin/sylius-product-auto-complete.js`:\n\n```js\n// assets/admin/sylius-product-auto-complete.js\n\nfunction sanitizeInput(input) {\n  const div = document.createElement(\u0027div\u0027);\n  div.textContent = input;\n  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\n$.fn.extend({\n  productAutoComplete() {\n    this.each((index, element) =\u003e {\n      const $element = $(element);\n      $element.dropdown(\u0027set selected\u0027, $element.find(\u0027input[name*=\"[associations]\"]\u0027).val().split(\u0027,\u0027).filter(String));\n    });\n\n    this.dropdown({\n      delay: {\n        search: 250,\n      },\n      forceSelection: false,\n      apiSettings: {\n        dataType: \u0027JSON\u0027,\n        cache: false,\n        data: {\n          criteria: { search: { type: \u0027contains\u0027, value: \u0027\u0027 } },\n        },\n        beforeSend(settings) {\n          /* eslint-disable-next-line no-param-reassign */\n          settings.data.criteria.search.value = settings.urlData.query;\n\n          return settings;\n        },\n        onResponse(response) {\n          return {\n            success: true,\n            results: response._embedded.items.map(item =\u003e ({\n              name: sanitizeInput(item.name),\n              value: sanitizeInput(item.code),\n            })),\n          };\n        },\n      },\n      onAdd(addedValue, addedText, $addedChoice) {\n        const inputAssociation = $addedChoice.parents(\u0027.product-select\u0027).find(\u0027input[name*=\"[associations]\"]\u0027);\n        const associatedProductCodes = inputAssociation.val().length \u003e 0 ? inputAssociation.val().split(\u0027,\u0027).filter(String) : [];\n\n        associatedProductCodes.push(addedValue);\n        $.unique(associatedProductCodes.sort());\n\n        inputAssociation.attr(\u0027value\u0027, associatedProductCodes.join());\n      },\n      onRemove(removedValue, removedText, $removedChoice) {\n        const inputAssociation = $removedChoice.parents(\u0027.product-select\u0027).find(\u0027input[name*=\"[associations]\"]\u0027);\n        const associatedProductCodes = inputAssociation.val().length \u003e 0 ? inputAssociation.val().split(\u0027,\u0027).filter(String) : [];\n\n        associatedProductCodes.splice($.inArray(removedValue, associatedProductCodes), 1);\n\n        inputAssociation.attr(\u0027value\u0027, associatedProductCodes.join());\n      },\n    });\n  },\n});\n```\n\n4. Add new import in `assets/admin/entry.js`:\n\n```js\n// assets/admin/entry.js\n// ...\nimport \u0027./sylius-lazy-choice-tree\u0027;\nimport \u0027./sylius-auto-complete\u0027;\nimport \u0027./sylius-product-auto-complete\u0027;\n```\n\n5. Rebuild your assets:\n\n```bash\nyarn build\n``` \n\n### Acknowledgements\n\nThis security issue has been reported by [Checkmarx Research Group](https://checkmarx.com), thank you!\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com\n",
  "id": "GHSA-v2f9-rv6w-vw8r",
  "modified": "2024-07-08T12:45:11Z",
  "published": "2024-05-10T15:33:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sylius potentially vulnerable to Cross Site Scripting via \"Name\" field (Taxons, Products, Options, Variants) in Admin Panel"
}

fkie_cve-2024-34349

Vulnerability from fkie_nvd

Published

2024-05-14 15:38

Modified

2024-11-21 09:18

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12
	security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1."
    },
    {
      "lang": "es",
      "value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. Antes de 1.12.16 y 1.13.1, existe la posibilidad de ejecutar c\u00f3digo javascript en el panel de administraci\u00f3n. Para realizar un ataque XSS, ingrese un script en el campo Nombre en cu\u00e1l de los recursos: Taxones, Productos, Opciones de producto o Variantes de producto. El c\u00f3digo se ejecutar\u00e1 mientras se utiliza un campo de autocompletar con una de las entidades enumeradas en el Panel de administraci\u00f3n. Tambi\u00e9n para los taxones en el \u00e1rbol de categor\u00edas en el formulario del producto. El problema se solucion\u00f3 en las versiones: 1.12.16, 1.13.1."
    }
  ],
  "id": "CVE-2024-34349",
  "lastModified": "2024-11-21T09:18:28.893",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-14T15:38:41.397",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-34349 (GCVE-0-2024-34349)

Vulnerability from cvelistv5

ghsa-v2f9-rv6w-vw8r

Vulnerability from github

Impact

Patches

Workarounds

Acknowledgements

For more information

fkie_cve-2024-34349

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature