CVE-2019-12186
Description
An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/gridPackagist | >= 1.0.0, < 1.1.19 | 1.1.19 |
sylius/gridPackagist | >= 1.2.0, < 1.2.18 | 1.2.18 |
sylius/gridPackagist | >= 1.3.0, < 1.3.13 | 1.3.13 |
sylius/gridPackagist | >= 1.4.0, < 1.4.5 | 1.4.5 |
sylius/gridPackagist | >= 1.5.0, < 1.5.1 | 1.5.1 |
sylius/grid-bundlePackagist | >= 1.0.0, < 1.1.19 | 1.1.19 |
sylius/grid-bundlePackagist | >= 1.2.0, < 1.2.18 | 1.2.18 |
sylius/grid-bundlePackagist | >= 1.3.0, < 1.3.13 | 1.3.13 |
sylius/grid-bundlePackagist | >= 1.4.0, < 1.4.5 | 1.4.5 |
sylius/grid-bundlePackagist | >= 1.5.0, < 1.5.1 | 1.5.1 |
sylius/syliusPackagist | >= 1.0.0, < 1.1.18 | 1.1.18 |
sylius/syliusPackagist | >= 1.2.0, < 1.2.17 | 1.2.17 |
sylius/syliusPackagist | >= 1.3.0, < 1.3.12 | 1.3.12 |
sylius/syliusPackagist | >= 1.4.0, < 1.4.4 | 1.4.4 |
Affected products
4- Sylius/Syliusdescription
- ghsa-coords3 versions
>= 1.0.0, < 1.1.19+ 2 more
- (no CPE)range: >= 1.0.0, < 1.1.19
- (no CPE)range: >= 1.0.0, < 1.1.19
- (no CPE)range: >= 1.0.0, < 1.1.18
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-rc5r-697f-28x6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12186ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/grid/CVE-2019-12186.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/CVE-2019-12186.yamlghsaWEB
- sylius.com/blog/cve-2019-12186ghsaWEB
- sylius.com/blog/cve-2019-12186/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.