CVE-2022-24749— Sylius 跨站脚本漏洞

Basic Cross-site Scripting and Unrestricted Upload of File with Dangerous Type in Sylius

Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or loaded outside of the IMG tag. The problem applies both to the files opened on the admin panel and shop pages. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. As a workaround, require a library that adds on-upload file sanitization and overwrite the service before writing the file to the filesystem. The GitHub Security Advisory contains more specific information about the workaround.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)

Sylius 跨站脚本漏洞

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。 Sylius 存在安全漏洞，目前暂无该漏洞信息，请随时关注CNNVD或厂商公告。

N/A

N/A