CVE-2022-24733

Improper Restriction of Rendered UI Layers or Frames in Sylius

CVSS 6.1 MEDIUMEPSS 0.9%CWE-1021

In short

Sylius websites can be loaded inside an attacker's iframe, allowing clickjacking attacks where users are tricked into clicking on hidden elements. This vulnerability affects versions before 1.9.10, 1.10.11, and 1.11.2.

Technical detail

CWE-1021: Improper restriction of rendered UI layers enables clickjacking via iframe embedding. The vulnerability exists because responses lack X-Frame-Options headers, allowing any site to embed the application. Attackers can overlay malicious UI elements to trick users into unintended actions.

Summary generated and translated by AI from the official description.

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Sylius · Sylius

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Sylius/Sylius/releases/tag/v1.10.11 https://github.com/Sylius/Sylius/releases/tag/v1.11.2 https://github.com/Sylius/Sylius/releases/tag/v1.9.10 https://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw