Skip to content

Sylius Resource Bundle Cross-Site Request Forgery vulnerability

Moderate severity GitHub Reviewed Published May 29, 2024 to the GitHub Advisory Database • Updated May 29, 2024

Package

composer sylius/resource-bundle (Composer)

Affected versions

>= 1.0.0, < 1.0.17
>= 1.1.0, < 1.1.9
>= 1.2.0, < 1.2.2

Patched versions

1.0.17
1.1.9
1.2.2

Description

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

References

Published to the GitHub Advisory Database May 29, 2024
Reviewed May 29, 2024
Last updated May 29, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-65v7-wg35-2qpm

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.