CVE-2019-12186

31.12.2019, 15:15

An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
sylius	grid	1.0.0 ≤ 𝑥 ≤ 1.0.18
sylius	grid	1.1.0 ≤ 𝑥 ≤ 1.1.18
sylius	grid	1.2.0 ≤ 𝑥 ≤ 1.2.17
sylius	grid	1.3.0 ≤ 𝑥 ≤ 1.3.12
sylius	grid	1.4.0 ≤ 𝑥 ≤ 1.4.4
sylius	grid	1.5.0
sylius	sylius	1.0.0 ≤ 𝑥 ≤ 1.0.18
sylius	sylius	1.1.0 ≤ 𝑥 ≤ 1.1.17
sylius	sylius	1.2.0 ≤ 𝑥 ≤ 1.2.16
sylius	sylius	1.3.0 ≤ 𝑥 ≤ 1.3.11
sylius	sylius	1.4.0 ≤ 𝑥 ≤ 1.4.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://sylius.com/blog/cve-2019-12186/