CVE-2022-24742 – Exposure of Sensitive Information Due to Incompatible Policies in Sylius
https://notcve.org/view.php?id=CVE-2022-24742
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. • https://github.com/Sylius/Sylius/releases/tag/v1.10.11 https://github.com/Sylius/Sylius/releases/tag/v1.11.2 https://github.com/Sylius/Sylius/releases/tag/v1.9.10 https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2022-24733 – Improper Restriction of Rendered UI Layers or Frames in Sylius
https://notcve.org/view.php?id=CVE-2022-24733
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. • https://github.com/Sylius/Sylius/releases/tag/v1.10.11 https://github.com/Sylius/Sylius/releases/tag/v1.11.2 https://github.com/Sylius/Sylius/releases/tag/v1.9.10 https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2021-41120 – Unauthorized access to Credit card form in sylius/paypal-plugin
https://notcve.org/view.php?id=CVE-2021-41120
sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the Credit card form has prefilled "credit card holder" field with the Customer's first and last name and hence this can lead to personally identifiable information exposure. Additionally, the mentioned form did not require authentication. The problem has been patched in Sylius/PayPalPlugin 1.2.4 and 1.3.1. • https://github.com/Sylius/PayPalPlugin/commit/2adc46be2764ccee22b4247139b8056fb8d1afff https://github.com/Sylius/PayPalPlugin/commit/814923c2e9d97fe6279dcee866c34ced3d2fb7a7 https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-25fx-mxc2-76g7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2021-32720 – List of order ids, number, items total and token value exposed for unauthorized uses via new API
https://notcve.org/view.php?id=CVE-2021-32720
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. • https://github.com/Sylius/Sylius/releases/tag/v1.9.5 https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-15245 – Email verification bypass in Sylius
https://notcve.org/view.php?id=CVE-2020-15245
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. • https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •