CVE-2022-24733

Summary

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that, add a new subscriber in the app.

Affected Software

VendorProductVersion RangeStatus
SyliusSylius< 1.9.10affected
SyliusSylius>= 1.10.0, < 1.10.11affected
SyliusSylius>= 1.11.0, < 1.11.2affected

Weaknesses

  • CWE-1021: CWE-1021: Improper Restriction of Rendered UI Layers or Frames

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References