SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.
References
Link | Resource |
---|---|
https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784 | Patch Third Party Advisory |
https://github.com/Sylius/SyliusGridBundle/pull/222 | Patch Third Party Advisory |
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1 | Release Notes Third Party Advisory |
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2 | Release Notes Third Party Advisory |
https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2022-03-15 15:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-24752
Mitre link : CVE-2022-24752
CVE.ORG link : CVE-2022-24752
JSON object : View
Products Affected
sylius
- syliusgridbundle
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')