Headline
CVE-2022-24742: Release v1.11.2 · Sylius/Sylius
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
TL;DR
🔒 This is a security release!
Fixes the following vulnerabilities:
- Improper sanitize of SVG files during content upload (‘Cross-site Scripting’) in Sylius/Sylius
- User token not setup to null after reset password
- Add missing HTTP headers to avoid login forms clickjacking
- Exposure of sensitive information by using the back button after logging out in sylius/sylius
Details
- #13432 Update SalesDataProvider.php (@remoteclient)
- #13723 [Docs] Deployment on artifakt (@AdamKasp)
- #13731 [Taxation] Add validation of negative tax rate (@coldic3)
- #13734 [JS] add empty value to autocomplete selects (@SirDomin)
- #13735 [Docs] add note to translation (@AdamKasp)
- #13737 [Admin] Fix undefined labels in taxon autocomplete (@ernestWarwas)
- #13738 [Docs] Synchronous messenger transport (@Rafikooo)
- #13750 [Admin][Shop] placehold.it replaced to local placeholders (@ernestWarwas)
- #13751 [Docs] Blank line removed (@Rafikooo)
- #13756 [GitHub Actions] Change PHP ini values + clear cache (@GSadee)
- #13765 [Security] Fixes for SVG XSS, wrong cache for logged in users and clickjacking (@ernestWarwas, @lchrusciel, @GSadee, @Zales0123, @Rafikooo)
- #13766 [Security][API] passwordResetToken nulled after password is changed (@lchrusciel, @ernestWarwas, @GSadee, @TheMilek)