CVE-2019-12186
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
31/12/2019
Last modified:
08/01/2020
Description
An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.
Impact
Base Score 3.x
4.80
Severity 3.x
MEDIUM
Base Score 2.0
3.50
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:* | 1.0.0 (including) | 1.0.18 (including) |
| cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:* | 1.1.0 (including) | 1.1.18 (including) |
| cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:* | 1.2.0 (including) | 1.2.17 (including) |
| cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:* | 1.3.0 (including) | 1.3.12 (including) |
| cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:* | 1.4.0 (including) | 1.4.4 (including) |
| cpe:2.3:a:sylius:grid:1.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:* | 1.0.0 (including) | 1.0.18 (including) |
| cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:* | 1.1.0 (including) | 1.1.17 (including) |
| cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:* | 1.2.0 (including) | 1.2.16 (including) |
| cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:* | 1.3.0 (including) | 1.3.11 (including) |
| cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:* | 1.4.0 (including) | 1.4.3 (including) |
To consult the complete list of CPE names with products and versions, see this page