Headline
GHSA-945h-6vcv-pc8h: Sylius Admin Bundle Cross-Site Request Forgery vulnerability
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.
This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.
Description
The following actions in the admin panel did not require a CSRF token:
- marking order’s payment as completed
- marking order’s payment as refunded
- marking product review as accepted
- marking product review as rejected
Resolution
The issue is fixed by adding a required CSRF token to those actions.
We also fixed ResourceController
‘s applyStateMachineTransitionAction
method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection:
false to its routing configuration
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-945h-6vcv-pc8h
Sylius Admin Bundle Cross-Site Request Forgery vulnerability
Moderate severity GitHub Reviewed Published May 29, 2024 to the GitHub Advisory Database • Updated May 29, 2024
Package
composer sylius/admin-bundle (Composer)
Affected versions
>= 1.0.0, < 1.0.17
>= 1.1.0, < 1.1.9
>= 1.2.0, < 1.2.2
Patched versions
1.0.17
1.1.9
1.2.2
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue.
This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed.
Description
The following actions in the admin panel did not require a CSRF token:
- marking order’s payment as completed
- marking order’s payment as refunded
- marking product review as accepted
- marking product review as rejected
Resolution
The issue is fixed by adding a required CSRF token to those actions.
We also fixed ResourceController‘s applyStateMachineTransitionAction method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding csrf_protection: false to its routing configuration
References
- Sylius/SyliusAdminBundle@79c2d96
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/admin-bundle/2018-07-09.yaml
- https://sylius.com/blog/csrf-vulnerability-in-admin-panel
Published to the GitHub Advisory Database
May 29, 2024
Last updated
May 29, 2024