Security Advisories - sylius/sylius

sylius/sylius Security Advisories for v1.2.10 (9)

[MEDIUM] Sylius Cross Site Scripting (XSS) vulnerability

PKSA-nsc4-mbdg-1r18 CVE-2024-29376 GHSA-mw82-6m2g-qh6c

Affected version: <=1.12.13

Reported by:
GitHub
[MEDIUM] Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius

PKSA-bdq8-12rq-1jxx CVE-2022-24749 GHSA-4qrp-27r3-66fj

Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10

Reported by:
GitHub
[MEDIUM] Sensitive Information Exposure in Sylius

PKSA-4y6p-d93g-pxdh CVE-2022-24742 GHSA-7563-75j9-6h5p

Affected version: >=1.11,<1.11.2|>=1.10,<1.10.11|<1.9.10

Reported by:
GitHub
[MEDIUM] Improper Restriction of Rendered UI Layers or Frames in Sylius

PKSA-ftgj-pjx7-dswf CVE-2022-24733 GHSA-4jp3-q2qm-9fmw

Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10

Reported by:
GitHub
[MEDIUM] CVE-2020-15245: Ability to switch customer email address on account detail page and stay verified

PKSA-n7vc-ddmt-xqp5 CVE-2020-15245 GHSA-6gw4-x63h-5499

Affected version: >=1.0.0,<1.1.0|>=1.1.0,<1.2.0|>=1.2.0,<1.3.0|>=1.3.0,<1.4.0|>=1.4.0,<1.5.0|>=1.5.0,<1.6.0|>=1.6.0,<1.6.9|>=1.7.0,<1.7.9|>=1.8.0,<1.8.3

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] Ability to switch channels via GET parameter enabled in production environments

PKSA-3b3k-ptfz-1wwy CVE-2020-5218 GHSA-prg5-hg25-8grq

Affected version: >=1.6.0,<1.6.5|>=1.5,<1.5.9|>=1.4.0,<1.4.12|<1.3.16

Reported by:
GitHub
[MEDIUM] CVE-2020-5220: Ability to define unintended serialisation groups via HTTP header which might lead to data exposure

PKSA-bpp9-7wqw-wr8k CVE-2020-5220 GHSA-8vp7-j5cj-vvm2

Affected version: >=1.0.0,<1.1.0|>=1.1.0,<1.2.0|>=1.2.0,<1.3.0|>=1.3.0,<1.3.12|>=1.4.0,<1.4.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] Internal exception message exposure for login action in Sylius

PKSA-5fvz-8hqw-qw9z CVE-2019-16768 GHSA-3r8j-pmch-5j2h

Affected version: >=1.6.0,<1.6.3|>=1.5.0,<1.5.7|>=1.4.0,<1.4.10|<1.3.14

Reported by:
GitHub
[MEDIUM] CVE-2019-12186: XSS injection in the Grid component

PKSA-7g19-4q79-335z CVE-2019-12186 GHSA-rc5r-697f-28x6

Affected version: >=1.0.0,<1.1.0|>=1.1.0,<1.1.18|>=1.2.0,<1.2.17|>=1.3.0,<1.3.12|>=1.4.0,<1.4.4

Reported by:
GitHub, FriendsOfPHP/security-advisories

sylius/sylius Security Advisories for v1.2.10 (9)

[MEDIUM] Sylius Cross Site Scripting (XSS) vulnerability

[MEDIUM] Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius

[MEDIUM] Sensitive Information Exposure in Sylius

[MEDIUM] Improper Restriction of Rendered UI Layers or Frames in Sylius

[MEDIUM] CVE-2020-15245: Ability to switch customer email address on account detail page and stay verified

[LOW] Ability to switch channels via GET parameter enabled in production environments

[MEDIUM] CVE-2020-5220: Ability to define unintended serialisation groups via HTTP header which might lead to data exposure

[LOW] Internal exception message exposure for login action in Sylius

[MEDIUM] CVE-2019-12186: XSS injection in the Grid component