Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-7prj-9ccr-hr3q

GitHub Security Advisory

Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

### Patches
The issue is fixed in versions: 1.12.16, 1.13.1 and above.

### Workarounds

1. Create new file `assets/shop/sylius-province-field.js`:

```js
// assets/shop/sylius-province-field.js

function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}

const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};

$.fn.extend({
provinceField() {
const countrySelect = $('select[name$="[countryCode]"]');

countrySelect.on('change', (event) => {
const select = $(event.currentTarget);
const provinceContainer = select.parents('.field').next('div.province-container');

const provinceSelectFieldName = select.attr('name').replace('country', 'province');
const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');

const provinceSelectFieldId = select.attr('id').replace('country', 'province');
const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');

const form = select.parents('form');

if (select.val() === '' || select.val() == undefined) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');
});

return;
}

provinceContainer.attr('data-loading', true);
form.addClass('loading');

$.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {
if (!response.content) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');

provinceContainer.removeAttr('data-loading');
form.removeClass('loading');
});
} else if (response.content.indexOf('select') !== -1) {
provinceContainer.fadeOut('slow', () => {
const provinceSelectValue = getProvinceInputValue((
$(provinceContainer).find('select > option[selected$="selected"]').val()
));

provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`)
.replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`)
.replace('option value="" selected="selected"', 'option value=""')
.replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`)
));
provinceContainer.addClass('required');
provinceContainer.removeAttr('data-loading');

provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
} else {
provinceContainer.fadeOut('slow', () => {
const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());

provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`)
.replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`)
));

provinceContainer.removeAttr('data-loading');

provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
}
});
});

if (countrySelect.val() !== '') {
countrySelect.trigger('change');
}

if ($.trim($('div.province-container').text()) === '') {
$('select.country-select').trigger('change');
}

const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]');
const shippingAddressContainer = $('#sylius-shipping-address-container');
const toggleShippingAddress = function toggleShippingAddress() {
shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
};
toggleShippingAddress();
shippingAddressCheckbox.on('change', toggleShippingAddress);
},
});
```

2. Add new import in `assets/shop/entry.js`:

```js
// assets/shop/entry.js
// ...
import './sylius-province-field';
```

3. Rebuild your assets:

```bash
yarn build
```

### Acknowledgements

This security issue has been reported by @r2tunes, thank you!

### References

- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)
* Email us at [email protected]

Affected Packages

Packagist sylius/sylius
Affected versions: 1.12.0-alpha.1 (fixed in 1.12.16)
Packagist sylius/sylius
Affected versions: 1.13.0-alpha.1 (fixed in 1.13.1)

Related CVEs

CVE-2024-29376

Key Information

GHSA ID
GHSA-7prj-9ccr-hr3q
Published
May 10, 2024 3:33 PM
Last Modified
May 10, 2024 3:33 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
sylius/sylius
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.