GHSA-65v7-wg35-2qpm

Suggest an improvement
Source
https://github.com/advisories/GHSA-65v7-wg35-2qpm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-65v7-wg35-2qpm/GHSA-65v7-wg35-2qpm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-65v7-wg35-2qpm
Published
2024-05-29T18:50:22Z
Modified
2024-05-29T19:03:45.722383Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Sylius Resource Bundle Cross-Site Request Forgery vulnerability
Details

Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.

This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.

Description

The following actions in the admin panel did not require a CSRF token:

  • marking order’s payment as completed
  • marking order’s payment as refunded
  • marking product review as accepted
  • marking product review as rejected

Resolution

The issue is fixed by adding a required CSRF token to those actions.

We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration

References

Affected packages

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.17

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.0
Fixed
1.1.9

Affected versions

v1.*

v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8

Packagist / sylius/resource-bundle

Package

Name
sylius/resource-bundle
Purl
pkg:composer/sylius/resource-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2

Affected versions

v1.*

v1.2.0
v1.2.1