Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjNXItNjk3Zi0yOHg2
XSS injection in the Grid component of Sylius
Grid component of Sylius omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.
Permalink: https://github.com/advisories/GHSA-rc5r-697f-28x6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjNXItNjk3Zi0yOHg2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 2 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-rc5r-697f-28x6, CVE-2019-12186
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12186
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/grid/CVE-2019-12186.yaml
- https://sylius.com/blog/cve-2019-12186/
- https://github.com/advisories/GHSA-rc5r-697f-28x6
Affected Packages
packagist:sylius/sylius
Versions: >= 1.4.0, <= 1.4.3, >= 1.3.0, <= 1.3.11, >= 1.2.0, <= 1.2.16, >= 1.1.0, <= 1.1.17, >= 1.0.0, <= 1.0.18No known fixed version
packagist:sylius/grid-bundle
Versions: >= 1.5.0, < 1.5.1, >= 1.4.0, < 1.4.5, >= 1.3.0, < 1.3.13, >= 1.2.0, < 1.2.18, >= 1.0.0, < 1.1.19Fixed in: 1.5.1, 1.4.5, 1.3.13, 1.2.18, 1.1.19
packagist:sylius/grid
Versions: >= 1.5.0, < 1.5.1, >= 1.4.0, < 1.4.5, >= 1.3.0, < 1.3.13, >= 1.2.0, < 1.2.18, >= 1.0.0, < 1.1.19Fixed in: 1.5.1, 1.4.5, 1.3.13, 1.2.18, 1.1.19