GHSA-65v7-wg35-2qpm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-65v7-wg35-2qpm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-65v7-wg35-2qpm/GHSA-65v7-wg35-2qpm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-65v7-wg35-2qpm
- Published
- 2024-05-29T18:50:22Z
- Modified
- 2024-12-04T05:39:55.172615Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Sylius Resource Bundle Cross-Site Request Forgery vulnerability
- Details
-
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.
This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.
Description
The following actions in the admin panel did not require a CSRF token:
- marking order’s payment as completed
- marking order’s payment as refunded
- marking product review as accepted
- marking product review as rejected
Resolution
The issue is fixed by adding a required CSRF token to those actions.
We also fixed
ResourceController‘sapplyStateMachineTransitionActionmethod by adding a CSRF token check. If you use that action in the API context, you can disable it by addingcsrf_protection:false to its routing configuration - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-29T18:50:22Z" }- References
Affected packages
Packagist / sylius/resource-bundle
Package
- Name
- sylius/resource-bundle
- Purl
- pkg:composer/sylius/resource-bundle
Packagist / sylius/resource-bundle
Package
- Name
- sylius/resource-bundle
- Purl
- pkg:composer/sylius/resource-bundle
Packagist / sylius/resource-bundle
Package
- Name
- sylius/resource-bundle
- Purl
- pkg:composer/sylius/resource-bundle