Skip to content

Commit 79ef7b7

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-6w63-h3fj-q4vw GHSA-7prj-9ccr-hr3q GHSA-v2f9-rv6w-vw8r GHSA-46wh-pxpv-q5gq
1 parent 8e1891b commit 79ef7b7

File tree

4 files changed

+123
-8
lines changed

4 files changed

+123
-8
lines changed

advisories/github-reviewed/2023/06/GHSA-6w63-h3fj-q4vw/GHSA-6w63-h3fj-q4vw.json

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-6w63-h3fj-q4vw",
4-
"modified": "2024-01-25T21:05:07Z",
4+
"modified": "2026-03-09T15:58:38Z",
55
"published": "2023-06-06T17:33:13Z",
66
"aliases": [
77
"CVE-2023-34104"
88
],
99
"summary": "fast-xml-parser vulnerable to Regex Injection via Doctype Entities",
10-
"details": "### Impact\n\"fast-xml-parser\" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.\n\n### Patches\nThe problem has been resolved in v4.2.4\n\n### Workarounds\nAvoid using DOCTYPE parsing by `processEntities: false` option.\n",
10+
"details": "### Impact\n\"fast-xml-parser\" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.\n\n### Patches\nThe problem has been resolved in v4.2.4\n\n### Workarounds\nAvoid using DOCTYPE parsing by `processEntities: false` option.",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -59,7 +59,8 @@
5959
],
6060
"database_specific": {
6161
"cwe_ids": [
62-
"CWE-1333"
62+
"CWE-1333",
63+
"CWE-400"
6364
],
6465
"severity": "HIGH",
6566
"github_reviewed": true,

advisories/github-reviewed/2024/05/GHSA-7prj-9ccr-hr3q/GHSA-7prj-9ccr-hr3q.json

Lines changed: 59 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,72 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7prj-9ccr-hr3q",
4-
"modified": "2024-05-10T15:33:22Z",
4+
"modified": "2026-03-09T15:57:32Z",
55
"published": "2024-05-10T15:33:22Z",
66
"aliases": [
77
"CVE-2024-29376"
88
],
99
"summary": "Sylius has potential Cross Site Scripting vulnerability via the \"Province\" field in the Checkout and Address Book",
10-
"details": "### Impact\n\nThere is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.\n\n### Patches\nThe issue is fixed in versions: 1.12.16, 1.13.1 and above.\n\n### Workarounds\n\n1. Create new file `assets/shop/sylius-province-field.js`:\n\n```js\n// assets/shop/sylius-province-field.js\n\nfunction sanitizeInput(input) {\n const div = document.createElement('div');\n div.textContent = input;\n return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\nconst getProvinceInputValue = function getProvinceInputValue(valueSelector) {\n return valueSelector == undefined ? '' : `value=\"${sanitizeInput(valueSelector)}\"`;\n};\n\n$.fn.extend({\n provinceField() {\n const countrySelect = $('select[name$=\"[countryCode]\"]');\n\n countrySelect.on('change', (event) => {\n const select = $(event.currentTarget);\n const provinceContainer = select.parents('.field').next('div.province-container');\n\n const provinceSelectFieldName = select.attr('name').replace('country', 'province');\n const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');\n\n const provinceSelectFieldId = select.attr('id').replace('country', 'province');\n const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');\n\n const form = select.parents('form');\n\n if (select.val() === '' || select.val() == undefined) {\n provinceContainer.fadeOut('slow', () => {\n provinceContainer.html('');\n });\n\n return;\n }\n\n provinceContainer.attr('data-loading', true);\n form.addClass('loading');\n\n $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {\n if (!response.content) {\n provinceContainer.fadeOut('slow', () => {\n provinceContainer.html('');\n\n provinceContainer.removeAttr('data-loading');\n form.removeClass('loading');\n });\n } else if (response.content.indexOf('select') !== -1) {\n provinceContainer.fadeOut('slow', () => {\n const provinceSelectValue = getProvinceInputValue((\n $(provinceContainer).find('select > option[selected$=\"selected\"]').val()\n ));\n\n provinceContainer.html((\n response.content\n .replace('name=\"sylius_address_province\"', `name=\"${provinceSelectFieldName}\"${provinceSelectValue}`)\n .replace('id=\"sylius_address_province\"', `id=\"${provinceSelectFieldId}\"`)\n .replace('option value=\"\" selected=\"selected\"', 'option value=\"\"')\n .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}\" selected=\"selected\"`)\n ));\n provinceContainer.addClass('required');\n provinceContainer.removeAttr('data-loading');\n\n provinceContainer.fadeIn('fast', () => {\n form.removeClass('loading');\n });\n });\n } else {\n provinceContainer.fadeOut('slow', () => {\n const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());\n\n provinceContainer.html((\n response.content\n .replace('name=\"sylius_address_province\"', `name=\"${provinceInputFieldName}\"${provinceInputValue}`)\n .replace('id=\"sylius_address_province\"', `id=\"${provinceInputFieldId}\"`)\n ));\n\n provinceContainer.removeAttr('data-loading');\n\n provinceContainer.fadeIn('fast', () => {\n form.removeClass('loading');\n });\n });\n }\n });\n });\n\n if (countrySelect.val() !== '') {\n countrySelect.trigger('change');\n }\n\n if ($.trim($('div.province-container').text()) === '') {\n $('select.country-select').trigger('change');\n }\n\n const shippingAddressCheckbox = $('input[type=\"checkbox\"][name$=\"[differentShippingAddress]\"]');\n const shippingAddressContainer = $('#sylius-shipping-address-container');\n const toggleShippingAddress = function toggleShippingAddress() {\n shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));\n };\n toggleShippingAddress();\n shippingAddressCheckbox.on('change', toggleShippingAddress);\n },\n});\n```\n\n2. Add new import in `assets/shop/entry.js`:\n\n```js\n// assets/shop/entry.js\n// ...\nimport './sylius-province-field';\n```\n\n3. Rebuild your assets:\n\n```bash\nyarn build\n``` \n\n### Acknowledgements\n\nThis security issue has been reported by @r2tunes, thank you!\n\n### References\n\n- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com\n",
10+
"details": "### Impact\n\nThere is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.\n\n### Patches\nThe issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.16, 1.13.1 and above.\n\n### Workarounds\n\n1. Create new file `assets/shop/sylius-province-field.js`:\n\n```js\n// assets/shop/sylius-province-field.js\n\nfunction sanitizeInput(input) {\n const div = document.createElement('div');\n div.textContent = input;\n return div.innerHTML; // Converts text content to plain HTML, stripping any scripts\n}\n\nconst getProvinceInputValue = function getProvinceInputValue(valueSelector) {\n return valueSelector == undefined ? '' : `value=\"${sanitizeInput(valueSelector)}\"`;\n};\n\n$.fn.extend({\n provinceField() {\n const countrySelect = $('select[name$=\"[countryCode]\"]');\n\n countrySelect.on('change', (event) => {\n const select = $(event.currentTarget);\n const provinceContainer = select.parents('.field').next('div.province-container');\n\n const provinceSelectFieldName = select.attr('name').replace('country', 'province');\n const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');\n\n const provinceSelectFieldId = select.attr('id').replace('country', 'province');\n const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');\n\n const form = select.parents('form');\n\n if (select.val() === '' || select.val() == undefined) {\n provinceContainer.fadeOut('slow', () => {\n provinceContainer.html('');\n });\n\n return;\n }\n\n provinceContainer.attr('data-loading', true);\n form.addClass('loading');\n\n $.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {\n if (!response.content) {\n provinceContainer.fadeOut('slow', () => {\n provinceContainer.html('');\n\n provinceContainer.removeAttr('data-loading');\n form.removeClass('loading');\n });\n } else if (response.content.indexOf('select') !== -1) {\n provinceContainer.fadeOut('slow', () => {\n const provinceSelectValue = getProvinceInputValue((\n $(provinceContainer).find('select > option[selected$=\"selected\"]').val()\n ));\n\n provinceContainer.html((\n response.content\n .replace('name=\"sylius_address_province\"', `name=\"${provinceSelectFieldName}\"${provinceSelectValue}`)\n .replace('id=\"sylius_address_province\"', `id=\"${provinceSelectFieldId}\"`)\n .replace('option value=\"\" selected=\"selected\"', 'option value=\"\"')\n .replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}\" selected=\"selected\"`)\n ));\n provinceContainer.addClass('required');\n provinceContainer.removeAttr('data-loading');\n\n provinceContainer.fadeIn('fast', () => {\n form.removeClass('loading');\n });\n });\n } else {\n provinceContainer.fadeOut('slow', () => {\n const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());\n\n provinceContainer.html((\n response.content\n .replace('name=\"sylius_address_province\"', `name=\"${provinceInputFieldName}\"${provinceInputValue}`)\n .replace('id=\"sylius_address_province\"', `id=\"${provinceInputFieldId}\"`)\n ));\n\n provinceContainer.removeAttr('data-loading');\n\n provinceContainer.fadeIn('fast', () => {\n form.removeClass('loading');\n });\n });\n }\n });\n });\n\n if (countrySelect.val() !== '') {\n countrySelect.trigger('change');\n }\n\n if ($.trim($('div.province-container').text()) === '') {\n $('select.country-select').trigger('change');\n }\n\n const shippingAddressCheckbox = $('input[type=\"checkbox\"][name$=\"[differentShippingAddress]\"]');\n const shippingAddressContainer = $('#sylius-shipping-address-container');\n const toggleShippingAddress = function toggleShippingAddress() {\n shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));\n };\n toggleShippingAddress();\n shippingAddressCheckbox.on('change', toggleShippingAddress);\n },\n});\n```\n\n2. Add new import in `assets/shop/entry.js`:\n\n```js\n// assets/shop/entry.js\n// ...\nimport './sylius-province-field';\n```\n\n3. If you're using Gulp, update your `gulpfile.babel.js`:\n\n```diff\n import chug from 'gulp-chug';\n+ import concat from 'gulp-concat';\n import gulp from 'gulp';\n import yargs from 'yargs';\n\n const { argv } = ...\n\n+ const rootPath = argv.rootPath || 'public/assets';\n+ \n const config = [...];\n '--rootPath',\n argv.rootPath || '../../../../../../../public/assets',\n '--nodeModulesPath',\n argv.nodeModulesPath || '../../../../../../../node_modules',\n ];\n\n ...\n\n export const buildShop = ...\n\n+ export const patchShopJs = function patchShopJs() {\n+ return gulp.src([\n+ `${rootPath}/shop/js/app.js`,\n+ 'assets/shop/sylius-province-field.js',\n+ ])\n+ .pipe(concat('app.js'))\n+ .pipe(gulp.dest(`${rootPath}/shop/js`));\n+ };\n+ patchShopJs.description = 'Append shop security patches to built app.js.';\n\n ...\n\n- export const build = gulp.parallel(buildAdmin, buildShop);\n+ export const build = gulp.series(\n+ gulp.parallel(buildAdmin, buildShop),\n+ patchShopJs,\n+ );\n\n ...\n\n- gulp.task('shop', buildShop);\n+ gulp.task('shop', gulp.series(buildShop, patchShopJs));\n\n ...\n```\n\n4. Rebuild your assets:\n\n```bash\nyarn build\n``` \n\n### Acknowledgements\n\nThis security issue has been reported by @r2tunes, thank you!\n\n### References\n\n- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com",
1111
"severity": [],
1212
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "sylius/sylius"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.9.12"
27+
}
28+
]
29+
}
30+
]
31+
},
32+
{
33+
"package": {
34+
"ecosystem": "Packagist",
35+
"name": "sylius/sylius"
36+
},
37+
"ranges": [
38+
{
39+
"type": "ECOSYSTEM",
40+
"events": [
41+
{
42+
"introduced": "1.10.0-alpha.1"
43+
},
44+
{
45+
"fixed": "1.10.16"
46+
}
47+
]
48+
}
49+
]
50+
},
51+
{
52+
"package": {
53+
"ecosystem": "Packagist",
54+
"name": "sylius/sylius"
55+
},
56+
"ranges": [
57+
{
58+
"type": "ECOSYSTEM",
59+
"events": [
60+
{
61+
"introduced": "1.11.0-alpha.1"
62+
},
63+
{
64+
"fixed": "1.11.17"
65+
}
66+
]
67+
}
68+
]
69+
},
1370
{
1471
"package": {
1572
"ecosystem": "Packagist",

0 commit comments

Comments
 (0)