Skip to main content

Sylius CVE-2022-24749

MEDIUM
Basic XSS (CWE-80)
2022-03-14 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 14, 2022 - 22:15 nvd
MEDIUM 6.1

DescriptionNVD

Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.

AnalysisAI

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-80. Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround. Affected products include: Sylius. Version information: prior to 1.9.10.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Sylius

View all
CVE-2024-57610 HIGH POC
7.5 Feb 06

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user acco

CVE-2022-24743 HIGH POC
8.2 Mar 14

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable,

CVE-2024-29376 MEDIUM POC
6.4 Apr 22

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severi

CVE-2026-31824 HIGH
8.2 Mar 10

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where conc

CVE-2026-31820 MEDIUM
6.5 Mar 10

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated

CVE-2026-31819 MEDIUM
6.1 Mar 10

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitra

CVE-2026-31822 MEDIUM
6.1 Mar 10

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentica

CVE-2022-24733 MEDIUM
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2022-24742 MEDIUM
5.5 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication r

CVE-2026-31821 MEDIUM
5.3 Mar 10

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to a

CVE-2026-31825 MEDIUM
5.3 Mar 10

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.

CVE-2021-32720 MEDIUM
5.3 Jun 28

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is r

Share

CVE-2022-24749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy