CVE-2024-34349
Description
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.The issue is fixed in versions: 1.12.16, 1.13.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylius Admin Panel is vulnerable to stored XSS via the Name field of Taxons, Products, Options, and Variants, executed in autocomplete and category tree components.
Vulnerability
Description
CVE-2024-34349 is a stored cross-site scripting (XSS) vulnerability in Sylius, an open-source eCommerce platform. The flaw exists in the Admin Panel, where the "Name" field of resources such as Taxons, Products, Product Options, and Product Variants does not properly sanitize user input. An attacker with appropriate admin privileges can inject malicious JavaScript code into these fields [1].
Exploitation
To exploit this vulnerability, an attacker must have access to the Admin Panel and the ability to edit the Name fields of the mentioned resources. The injected script is stored and later executed when the autocomplete field (used for selecting these entities) renders the name, or when the category tree component on the product form displays taxon names. The autocomplete and tree components output the name without escaping, leading to XSS [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Admin Panel. This could lead to session hijacking, data theft, defacement, or other malicious actions performed on behalf of the authenticated admin user. The CVSS v3 base score is 4.8 (Medium), reflecting the need for authenticated access and the limited scope of impact [1].
Mitigation
The vulnerability is fixed in Sylius versions 1.12.16 and 1.13.1, as well as earlier branches (1.9.12, 1.10.16, 1.11.17). Users should upgrade to a patched version. For those unable to upgrade immediately, a workaround is provided: create a custom JavaScript file that sanitizes input using a sanitizeInput function, as detailed in the advisory [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | < 1.9.12 | 1.9.12 |
sylius/syliusPackagist | >= 1.10.0-alpha.1, < 1.10.16 | 1.10.16 |
sylius/syliusPackagist | >= 1.11.0-alpha.1, < 1.11.17 | 1.11.17 |
sylius/syliusPackagist | >= 1.12.0-alpha.1, < 1.12.16 | 1.12.16 |
sylius/syliusPackagist | >= 1.13.0-alpha.1, < 1.13.1 | 1.13.1 |
Affected products
1Patches
390d580fc19eef14bca0af488ba4b66da5af8Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.