Описание
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that, add a new subscriber in the app.
Ссылки
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- MitigationThird Party Advisory
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- MitigationThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.9.10 (исключая)Версия от 1.10.0 (включая) до 1.10.11 (исключая)Версия от 1.11.0 (включая) до 1.11.2 (исключая)
Одно из
cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
EPSS
Процентиль: 52%
0.00285
Низкий
6.1 Medium
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-1021
Связанные уязвимости
CVSS3: 6.1
github
почти 4 года назад
Improper Restriction of Rendered UI Layers or Frames in Sylius
EPSS
Процентиль: 52%
0.00285
Низкий
6.1 Medium
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-1021