GHSA-65v7-wg35-2qpm: CSRF
First published: Wed May 29 2024(Updated: )
Sylius 1.0.0 to 1.0.16, 1.1.0 to 1.1.8, 1.2.0 to 1.2.1 versions of AdminBundle and ResourceBundle are affected by this security issue. This issue has been fixed in Sylius 1.0.17, 1.1.9 and 1.2.2. Development branch for 1.3 release has also been fixed. ### Description The following actions in the admin panel did not require a CSRF token: - marking order’s payment as completed - marking order’s payment as refunded - marking product review as accepted - marking product review as rejected ### Resolution The issue is fixed by adding a required CSRF token to those actions. We also fixed `ResourceController`‘s `applyStateMachineTransitionAction` method by adding a CSRF token check. If you use that action in the API context, you can disable it by adding `csrf_protection:` false to its routing configuration
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/sylius/resource-bundle | >=1.2.0<1.2.2 | 1.2.2 |
| composer/sylius/resource-bundle | >=1.1.0<1.1.9 | 1.1.9 |
| composer/sylius/resource-bundle | >=1.0.0<1.0.17 | 1.0.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Sylius/SyliusResourceBundle/commit/9720ac5a0a39ea2c2a395ef16a94a00aa86c418b
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/2018-07-09.yaml
- https://sylius.com/blog/csrf-vulnerability-in-admin-panel
- https://github.com/advisories/GHSA-65v7-wg35-2qpm (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-65v7-wg35-2qpm
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- agent/type
- agent/tags
- collector/github-advisory
- package-manager/composer