Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS02NXY3LXdnMzUtMnFwbc4AA8jT

Moderate
Permalink JSON

Sylius Resource Bundle Cross-Site Request Forgery vulnerability

Affected Packages Affected Versions Fixed Versions
packagist:sylius/resource-bundle >= 1.2.0, < 1.2.2, >= 1.1.0, < 1.1.9, >= 1.0.0, < 1.0.17 1.2.2, 1.1.9, 1.0.17
156 Dependent packages
495 Dependent repositories
9,590,624 Downloads total

Affected Version Ranges

All affected versions

v1.0.0, v1.0.0-alpha.1, v1.0.0-alpha.2, v1.0.0-beta.1, v1.0.0-beta.2, v1.0.0-beta.3, v1.0.0-rc.1, v1.0.0-rc.2, v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.0.5, v1.0.6, v1.0.7, v1.0.8, v1.0.9, v1.0.10, v1.0.11, v1.0.12, v1.0.13, v1.0.14, v1.0.15, v1.0.16, v1.1.0, v1.1.0-RC, v1.1.1, v1.1.2, v1.1.3, v1.1.4, v1.1.5, v1.1.6, v1.1.7, v1.1.8, v1.2.0, v1.2.0-BETA, v1.2.0-RC, v1.2.1

All unaffected versions

v0.1.0, v0.2.0, v0.3.0, v0.5.0, v0.6.0, v0.7.0, v0.8.0, v0.9.0, v0.10.0, v0.11.0, v0.12.0, v0.13.0, v0.14.0, v0.15.0, v0.16.0, v0.17.0, v0.18.0, v0.19.0, v1.0.17, v1.0.18, v1.1.9, v1.1.10, v1.1.11, v1.1.12, v1.1.13, v1.1.14, v1.1.15, v1.1.17, v1.1.18, v1.2.2, v1.2.3, v1.2.4, v1.2.5, v1.2.6, v1.2.7, v1.2.8, v1.2.9, v1.2.10, v1.2.11, v1.2.12, v1.2.13, v1.2.14, v1.2.15, v1.2.16, v1.2.17, v1.3.0, v1.3.1, v1.3.2, v1.3.3, v1.3.4, v1.3.5, v1.3.6, v1.3.7, v1.3.8, v1.3.9, v1.3.10, v1.3.11, v1.3.12, v1.3.13, v1.3.14, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.4.4, v1.4.5, v1.4.6, v1.4.7, v1.5.0, v1.5.1, v1.5.2, v1.6.0, v1.6.1, v1.6.2, v1.6.3, v1.6.4, v1.7.0, v1.7.1, v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.8.4, v1.9.0, v1.9.1, v1.10.0, v1.10.1, v1.10.2, v1.10.3, v1.11.0, v1.11.1, v1.11.2, v1.11.3, v1.11.4, v1.12.0, v1.12.1, v1.12.2, v1.13.0, v1.13.1

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

References:

Identifiers

GHSA-65v7-wg35-2qpm

Risk

Severity

Moderate

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/Sylius/SyliusResourceBundle

Date and time

Published

over 1 year ago

Updated

17 days ago

API

JSON