An issue exists in Sylius products. Missing input sanitization in sylius/sylius 1.0.x up to and including 1.0.18, 1.1.x up to and including 1.1.17, 1.2.x up to and including 1.2.16, 1.3.x up to and including 1.3.11, and 1.4.x up to and including 1.4.3 and sylius/grid 1.0.x up to and including 1.0.18, 1.1.x up to and including 1.1.18, 1.2.x up to and including 1.2.17, 1.3.x up to and including 1.3.12, 1.4.x up to and including 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sylius grid |
||
sylius grid 1.5.0 |
||
sylius sylius |