Sylius ApiLoginController Cross-Site Scripting Vulnerability in Checkout Login Form

A cross-site scripting (XSS) vulnerability has been identified in the Sylius eCommerce framework, specifically within the shop checkout login form managed by the ApiLoginController Stimulus controller. This issue affects Sylius versions 2.0.0 prior to 2.0.16, 2.1.0 prior to 2.1.12, and 2.2.0 prior to 2.2.3. The vulnerability arises when a login attempt fails, as the AuthenticationFailureHandler returns a JSON response. The message field of this response is rendered into the DOM using innerHTML, which allows any HTML or JavaScript contained in that value to be executed by the browser. While the default message value is not directly user-controlled, the vulnerability can be exploited under certain conditions, such as customized authentication handlers, translation injection, man-in-the-middle attacks, or server-side injection. Exploitation could lead to session hijacking, credential theft, manipulation of carts or orders, or phishing within the trusted shop domain.

Impact

Successful exploitation allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Remediation

Users can update to Sylius versions 2.0.16, 2.1.12, or 2.2.3 and above. Alternatively, the vulnerable JavaScript controller can be overridden at the project level by copying the original controller, applying a patch to render the response message as text instead of HTML, and registering the patched controller.