CVE-2022-24733
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that, add a new subscriber in the app.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sylius | Sylius | < 1.9.10 | affected |
| Sylius | Sylius | >= 1.10.0, < 1.10.11 | affected |
| Sylius | Sylius | >= 1.11.0, < 1.11.2 | affected |
Weaknesses
- CWE-1021: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw
- https://github.com/Sylius/Sylius/releases/tag/v1.10.11
- https://github.com/Sylius/Sylius/releases/tag/v1.11.2
- https://github.com/Sylius/Sylius/releases/tag/v1.9.10
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw
- https://github.com/Sylius/Sylius/releases/tag/v1.10.11
- https://github.com/Sylius/Sylius/releases/tag/v1.11.2
- https://github.com/Sylius/Sylius/releases/tag/v1.9.10
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.