CVE-2019-12186

Published Dec 31, 2019

Last updated 5 years ago

CVSS medium 4.8

Overview

Description: An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the "string" field type. The contents are an object, with malicious code returned by the __toString() method of that object.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.8
Impact score: 2.7
Exploitability score: 1.7
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 3.5
Impact score: 2.9
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AC911003-6FB4-4013-878E-2696E5FBDB45",
            "versionEndIncluding": "1.0.18",
            "versionStartIncluding": "1.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E46AF7C5-BFCD-4533-8F88-889E7D232178",
            "versionEndIncluding": "1.1.18",
            "versionStartIncluding": "1.1.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "17C678EC-4743-4502-9D43-058723BEB637",
            "versionEndIncluding": "1.2.17",
            "versionStartIncluding": "1.2.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "54FE2F5A-AF55-4A65-9E0F-15B376C58082",
            "versionEndIncluding": "1.3.12",
            "versionStartIncluding": "1.3.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CB208C61-D7DB-4A34-BB81-7F03361F5C70",
            "versionEndIncluding": "1.4.4",
            "versionStartIncluding": "1.4.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:grid:1.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8B826636-EE5E-43D0-B232-4F927FC3DDD5"
          },
          {
            "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8BA67723-4EFB-4EE2-A3BE-4260C94EA2DE",
            "versionEndIncluding": "1.0.18",
            "versionStartIncluding": "1.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D8687DE9-3CE1-4D96-B9FC-0EDAD2E40364",
            "versionEndIncluding": "1.1.17",
            "versionStartIncluding": "1.1.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8009B7D8-1286-456D-861D-CB5D10E72923",
            "versionEndIncluding": "1.2.16",
            "versionStartIncluding": "1.2.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "900547C2-8641-4430-ACEA-CDEF046D69D4",
            "versionEndIncluding": "1.3.11",
            "versionStartIncluding": "1.3.0"
          },
          {
            "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "188939AC-CC0A-496C-BCD4-25934D8BAADE",
            "versionEndIncluding": "1.4.3",
            "versionStartIncluding": "1.4.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References