Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7prj-9ccr-hr3q: Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book

Impact

There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

  1. Create new file assets/shop/sylius-province-field.js:
// assets/shop/sylius-province-field.js

function sanitizeInput(input) {
  const div = document.createElement('div');
  div.textContent = input;
  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}

const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
  return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};

$.fn.extend({
  provinceField() {
    const countrySelect = $('select[name$="[countryCode]"]');

    countrySelect.on('change', (event) => {
      const select = $(event.currentTarget);
      const provinceContainer = select.parents('.field').next('div.province-container');

      const provinceSelectFieldName = select.attr('name').replace('country', 'province');
      const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');

      const provinceSelectFieldId = select.attr('id').replace('country', 'province');
      const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');

      const form = select.parents('form');

      if (select.val() === '' || select.val() == undefined) {
        provinceContainer.fadeOut('slow', () => {
          provinceContainer.html('');
        });

        return;
      }

      provinceContainer.attr('data-loading', true);
      form.addClass('loading');

      $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {
        if (!response.content) {
          provinceContainer.fadeOut('slow', () => {
            provinceContainer.html('');

            provinceContainer.removeAttr('data-loading');
            form.removeClass('loading');
          });
        } else if (response.content.indexOf('select') !== -1) {
          provinceContainer.fadeOut('slow', () => {
            const provinceSelectValue = getProvinceInputValue((
              $(provinceContainer).find('select > option[selected$="selected"]').val()
            ));

            provinceContainer.html((
              response.content
                .replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`)
                .replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`)
                .replace('option value="" selected="selected"', 'option value=""')
                .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`)
            ));
            provinceContainer.addClass('required');
            provinceContainer.removeAttr('data-loading');

            provinceContainer.fadeIn('fast', () => {
              form.removeClass('loading');
            });
          });
        } else {
          provinceContainer.fadeOut('slow', () => {
            const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());

            provinceContainer.html((
              response.content
                .replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`)
                .replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`)
            ));

            provinceContainer.removeAttr('data-loading');

            provinceContainer.fadeIn('fast', () => {
              form.removeClass('loading');
            });
          });
        }
      });
    });

    if (countrySelect.val() !== '') {
      countrySelect.trigger('change');
    }

    if ($.trim($('div.province-container').text()) === '') {
      $('select.country-select').trigger('change');
    }

    const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]');
    const shippingAddressContainer = $('#sylius-shipping-address-container');
    const toggleShippingAddress = function toggleShippingAddress() {
      shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
    };
    toggleShippingAddress();
    shippingAddressCheckbox.on('change', toggleShippingAddress);
  },
});
  1. Add new import in assets/shop/entry.js:
// assets/shop/entry.js
// ...
import './sylius-province-field';
  1. Rebuild your assets:
yarn build

Acknowledgements

This security issue has been reported by @r2tunes, thank you!

References

  • The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c

For more information

If you have any questions or comments about this advisory:

ghsa
#xss#vulnerability#nodejs#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-29376

Sylius has potential Cross Site Scripting vulnerability via the “Province” field in the Checkout and Address Book

Moderate severity GitHub Reviewed Published May 10, 2024 in Sylius/Sylius • Updated May 10, 2024

Package

composer sylius/sylius (Composer)

Affected versions

>= 1.12.0-alpha.1, < 1.12.16

>= 1.13.0-alpha.1, < 1.13.1

Patched versions

1.12.16

1.13.1

Impact

There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

Patches

The issue is fixed in versions: 1.12.16, 1.13.1 and above.

Workarounds

  1. Create new file assets/shop/sylius-province-field.js:

// assets/shop/sylius-province-field.js

function sanitizeInput(input) { const div = document.createElement(‘div’); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts }

const getProvinceInputValue = function getProvinceInputValue(valueSelector) { return valueSelector == undefined ? ‘’ : `value="${sanitizeInput(valueSelector)}"`; };

$.fn.extend({ provinceField() { const countrySelect = $('select[name$="[countryCode]"]');

countrySelect.on('change', (event) \=> {
  const select \= $(event.currentTarget);
  const provinceContainer \= select.parents('.field').next('div.province-container');

  const provinceSelectFieldName \= select.attr('name').replace('country', 'province');
  const provinceInputFieldName \= select.attr('name').replace('countryCode', 'provinceName');

  const provinceSelectFieldId \= select.attr('id').replace('country', 'province');
  const provinceInputFieldId \= select.attr('id').replace('countryCode', 'provinceName');

  const form \= select.parents('form');

  if (select.val() \=== '' || select.val() \== undefined) {
    provinceContainer.fadeOut('slow', () \=> {
      provinceContainer.html('');
    });

    return;
  }

  provinceContainer.attr('data-loading', true);
  form.addClass('loading');

  $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) \=> {
    if (!response.content) {
      provinceContainer.fadeOut('slow', () \=> {
        provinceContainer.html('');

        provinceContainer.removeAttr('data-loading');
        form.removeClass('loading');
      });
    } else if (response.content.indexOf('select') !== \-1) {
      provinceContainer.fadeOut('slow', () \=> {
        const provinceSelectValue \= getProvinceInputValue((
          $(provinceContainer).find('select > option\[selected$="selected"\]').val()
        ));

        provinceContainer.html((
          response.content
            .replace('name="sylius\_address\_province"', \`name="${provinceSelectFieldName}"${provinceSelectValue}\`)
            .replace('id="sylius\_address\_province"', \`id="${provinceSelectFieldId}"\`)
            .replace('option value="" selected="selected"', 'option value=""')
            .replace(\`option ${provinceSelectValue}\`, \`option ${provinceSelectValue}" selected="selected"\`)
        ));
        provinceContainer.addClass('required');
        provinceContainer.removeAttr('data-loading');

        provinceContainer.fadeIn('fast', () \=> {
          form.removeClass('loading');
        });
      });
    } else {
      provinceContainer.fadeOut('slow', () \=> {
        const provinceInputValue \= getProvinceInputValue($(provinceContainer).find('input').val());

        provinceContainer.html((
          response.content
            .replace('name="sylius\_address\_province"', \`name="${provinceInputFieldName}"${provinceInputValue}\`)
            .replace('id="sylius\_address\_province"', \`id="${provinceInputFieldId}"\`)
        ));

        provinceContainer.removeAttr('data-loading');

        provinceContainer.fadeIn('fast', () \=> {
          form.removeClass('loading');
        });
      });
    }
  });
});

if (countrySelect.val() !== '') {
  countrySelect.trigger('change');
}

if ($.trim($('div.province-container').text()) \=== '') {
  $('select.country-select').trigger('change');
}

const shippingAddressCheckbox \= $('input\[type="checkbox"\]\[name$="\[differentShippingAddress\]"\]');
const shippingAddressContainer \= $('#sylius-shipping-address-container');
const toggleShippingAddress \= function toggleShippingAddress() {
  shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
};
toggleShippingAddress();
shippingAddressCheckbox.on('change', toggleShippingAddress);

}, });

  1. Add new import in assets/shop/entry.js:

// assets/shop/entry.js // … import './sylius-province-field’;

  1. Rebuild your assets:

Acknowledgements

This security issue has been reported by @r2tunes, thank you!

References

  • The original advisory: GHSA-mw82-6m2g-qh6c

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-7prj-9ccr-hr3q
  • https://nvd.nist.gov/vuln/detail/CVE-2024-29376
  • Sylius/Sylius@fb0ecb2
  • https://github.com/r2tunes/Reports/blob/main/Sylius.md

Published to the GitHub Advisory Database

May 10, 2024

Last updated

May 10, 2024

Related news

GHSA-mw82-6m2g-qh6c: Sylius Cross Site Scripting (XSS) vulnerability

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.