CVE-2022-24733

### Impact It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker ### Patches The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above. ### Workarounds Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app. ```php <?php // src/EventListener/XFrameOptionsSubscriber.php namespace App\EventListener final class XFrameOptionsSubscriber implements EventSubscriberInterface { public static function getSubscribedEvents(): array { return [ KernelEvents::RESPONSE => 'onKernelResponse', ]; } public function onKernelResponse(ResponseEvent $event): void { if (!$this->isMainRequest($event)) { return; } $response = $event->getResponse(); $response->headers->set('X-Frame-Options', 'sameorigin'); } private function isMainRequest(ResponseEvent $event): bool { if (\method_exists($event, 'isMainRequest')) { return $event->isMainRequest(); } return $event->isMasterRequest(); } } ``` And register it in the container: ```yaml # config/services.yaml services: # ... App\EventListener\XFrameOptionsSubscriber: tags: ['kernel.event_subscriber'] ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at [[email protected]](mailto:[email protected])