Sylius Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Sylius, an open-source eCommerce framework based on Symfony. This vulnerability affects authenticated users and is present in several versions of Sylius. The issue arises from unsanitized entity names being rendered as raw HTML, allowing for the injection of malicious scripts. This vulnerability is observed in multiple areas, including the shop frontend breadcrumbs, the admin product taxon picker, and admin autocomplete fields. In the shop frontend, a malicious taxon name can be executed as JavaScript, while in the admin panel, taxon names can be exploited to inject scripts. The vulnerability is persistent and affects all users.

Impact

Exploitation of this vulnerability allows for authenticated stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Remediation

To address this vulnerability, users can override the vulnerable templates and JavaScript controllers at the project level. Specific instructions for overriding the shop breadcrumbs template, the ProductTaxonTreeController.js, and adding XSS protection to autocomplete fields are available in the Sylius security advisory.