VYPR

Vendor CVEs

Sylius

All CVEs

24 total · sorted by risk
  • CVE-2025-30152MedMar 19, 2025
    risk 0.35cvss 6.5epss 0.00

    The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user…

  • CVE-2025-29788MedMar 17, 2025
    risk 0.35cvss 6.5epss 0.00

    The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their…

  • CVE-2024-40633MedJul 17, 2024
    risk 0.27cvss 5.3epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid…

  • CVE-2024-34349MedMay 14, 2024
    risk 0.24cvss 4.8epss 0.00

    Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or…

  • CVE-2026-31825Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The…

  • CVE-2026-31824Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion…

  • CVE-2026-31823Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs…

  • CVE-2026-31822Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response…

  • CVE-2026-31821Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who…

  • CVE-2026-31820Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by…

  • CVE-2026-31819Mar 10, 2026
    risk 0.00cvss epss 0.00

    Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to…

  • CVE-2024-57610Feb 6, 2025
    risk 0.00cvss epss 0.01

    A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core…

  • CVE-2021-3841Nov 15, 2024
    risk 0.00cvss epss 0.00

    sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.

  • CVE-2024-29376Apr 22, 2024
    risk 0.00cvss epss 0.00

    Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.

  • CVE-2022-24752Mar 15, 2022
    risk 0.00cvss epss 0.01

    SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took…

  • CVE-2022-24749Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or…

  • CVE-2022-24743Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password…

  • CVE-2022-24742Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must…

  • CVE-2022-24733Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target…

  • CVE-2021-41120Oct 5, 2021
    risk 0.00cvss epss 0.01

    sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the…

  • CVE-2021-32720Jun 28, 2021
    risk 0.00cvss epss 0.01

    Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few…

  • CVE-2020-15245Oct 19, 2020
    risk 0.00cvss epss 0.01

    In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were…

  • CVE-2020-5218Jan 27, 2020
    risk 0.00cvss epss 0.01

    Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the…

  • CVE-2019-16768Dec 5, 2019
    risk 0.00cvss epss 0.01

    In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may…