Back

CVE-2024-34349

May 14, 2024, 4:12 p.m.

Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

Products

Sylius

  • 1.12.16
  • 1.13.1

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-79
2024-05-14
CVE-2024-34349

CVE-2024-34349 details

Published : May 14, 2024, 3:38 p.m.
Last Modified : May 14, 2024, 4:12 p.m.

Description

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.

CVSS Score

1 2 3 4 5 6.1 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

6.1

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

URL Source
https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12 security-advisories@github.com
https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.