CVE-2024-29376
MEDIUM
Published 2024-04-22T00:00:00
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2024-29376. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1
6.4
/10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Base Score Metrics
Exploitability: N/A
Impact: N/A
EPSS Score
v2025.03.14
0.001
probability
of exploitation in the wild
There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.
Updated: 2025-06-25
Exploit Probability
Percentile: 0.196
Higher than 19.6% of all CVEs
Attack Vector Metrics
Impact Metrics
Description
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
MODERATE
Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
GHSA-7prj-9ccr-hr3qAdvisory Details
### Impact
There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.
### Patches
The issue is fixed in versions: 1.12.16, 1.13.1 and above.
### Workarounds
1. Create new file `assets/shop/sylius-province-field.js`:
```js
// assets/shop/sylius-province-field.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};
$.fn.extend({
provinceField() {
const countrySelect = $('select[name$="[countryCode]"]');
countrySelect.on('change', (event) => {
const select = $(event.currentTarget);
const provinceContainer = select.parents('.field').next('div.province-container');
const provinceSelectFieldName = select.attr('name').replace('country', 'province');
const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');
const provinceSelectFieldId = select.attr('id').replace('country', 'province');
const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');
const form = select.parents('form');
if (select.val() === '' || select.val() == undefined) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');
});
return;
}
provinceContainer.attr('data-loading', true);
form.addClass('loading');
$.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {
if (!response.content) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');
provinceContainer.removeAttr('data-loading');
form.removeClass('loading');
});
} else if (response.content.indexOf('select') !== -1) {
provinceContainer.fadeOut('slow', () => {
const provinceSelectValue = getProvinceInputValue((
$(provinceContainer).find('select > option[selected$="selected"]').val()
));
provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`)
.replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`)
.replace('option value="" selected="selected"', 'option value=""')
.replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`)
));
provinceContainer.addClass('required');
provinceContainer.removeAttr('data-loading');
provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
} else {
provinceContainer.fadeOut('slow', () => {
const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());
provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`)
.replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`)
));
provinceContainer.removeAttr('data-loading');
provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
}
});
});
if (countrySelect.val() !== '') {
countrySelect.trigger('change');
}
if ($.trim($('div.province-container').text()) === '') {
$('select.country-select').trigger('change');
}
const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]');
const shippingAddressContainer = $('#sylius-shipping-address-container');
const toggleShippingAddress = function toggleShippingAddress() {
shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
};
toggleShippingAddress();
shippingAddressCheckbox.on('change', toggleShippingAddress);
},
});
```
2. Add new import in `assets/shop/entry.js`:
```js
// assets/shop/entry.js
// ...
import './sylius-province-field';
```
3. Rebuild your assets:
```bash
yarn build
```
### Acknowledgements
This security issue has been reported by @r2tunes, thank you!
### References
- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)
* Email us at [email protected]
Affected Packages
Packagist
sylius/sylius
ECOSYSTEM:
≥1.12.0-alpha.1
<1.12.16
Packagist
sylius/sylius
ECOSYSTEM:
≥1.13.0-alpha.1
<1.13.1
CVSS Scoring
CVSS Score
5.0
References
PACKAGE
https://github.com/Sylius/Sylius
Advisory provided by GitHub Security Advisory Database. Published: May 10, 2024, Modified: May 10, 2024
Published: 2024-04-22T00:00:00
Last Modified: 2024-11-22T14:28:29.018Z
Copied to clipboard!