Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4jp3-q2qm-9fmw

Опубликовано: 14 мар. 2022
Источник: github
Github: Прошло ревью
CVSS3: 6.1

Описание

Improper Restriction of Rendered UI Layers or Frames in Sylius

Impact

It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

Workarounds

Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.

<?php // src/EventListener/XFrameOptionsSubscriber.php namespace App\EventListener final class XFrameOptionsSubscriber implements EventSubscriberInterface { public static function getSubscribedEvents(): array { return [ KernelEvents::RESPONSE => 'onKernelResponse', ]; } public function onKernelResponse(ResponseEvent $event): void { if (!$this->isMainRequest($event)) { return; } $response = $event->getResponse(); $response->headers->set('X-Frame-Options', 'sameorigin'); } private function isMainRequest(ResponseEvent $event): bool { if (\method_exists($event, 'isMainRequest')) { return $event->isMainRequest(); } return $event->isMasterRequest(); } }

And register it in the container:

# config/services.yaml services: # ... App\EventListener\XFrameOptionsSubscriber: tags: ['kernel.event_subscriber']

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

sylius/sylius

composer
Затронутые версииВерсия исправления

< 1.9.10

1.9.10

Наименование

sylius/sylius

composer
Затронутые версииВерсия исправления

>= 1.10.0, < 1.10.11

1.10.11

Наименование

sylius/sylius

composer
Затронутые версииВерсия исправления

>= 1.11.0, < 1.11.2

1.11.2

EPSS

Процентиль: 52%
0.00285
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-24733

Дефекты

CWE-1021

Связанные уязвимости

nvd логотип

CVE-2022-24733

CVSS3: 6.1
nvd
почти 4 года назад

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.

EPSS

Процентиль: 52%
0.00285
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2022-24733

Дефекты

CWE-1021