GHSA-7prj-9ccr-hr3q
Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/syliusReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.16, 1.13.1 and above.
Workarounds
- Create new file
assets/shop/sylius-province-field.js:
// assets/shop/sylius-province-field.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};
$.fn.extend({
provinceField() {
const countrySelect = $('select[name$="[countryCode]"]');
countrySelect.on('change', (event) => {
const select = $(event.currentTarget);
const provinceContainer = select.parents('.field').next('div.province-container');
const provinceSelectFieldName = select.attr('name').replace('country', 'province');
const provinceInputFieldName = select.attr('name').replace('countryCode', 'provinceName');
const provinceSelectFieldId = select.attr('id').replace('country', 'province');
const provinceInputFieldId = select.attr('id').replace('countryCode', 'provinceName');
const form = select.parents('form');
if (select.val() === '' || select.val() == undefined) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');
});
return;
}
provinceContainer.attr('data-loading', true);
form.addClass('loading');
$.get(provinceContainer.attr('data-url'), { countryCode: select.val() }, (response) => {
if (!response.content) {
provinceContainer.fadeOut('slow', () => {
provinceContainer.html('');
provinceContainer.removeAttr('data-loading');
form.removeClass('loading');
});
} else if (response.content.indexOf('select') !== -1) {
provinceContainer.fadeOut('slow', () => {
const provinceSelectValue = getProvinceInputValue((
$(provinceContainer).find('select > option[selected$="selected"]').val()
));
provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceSelectFieldName}"${provinceSelectValue}`)
.replace('id="sylius_address_province"', `id="${provinceSelectFieldId}"`)
.replace('option value="" selected="selected"', 'option value=""')
.replace(`option ${provinceSelectValue}`, `option ${provinceSelectValue}" selected="selected"`)
));
provinceContainer.addClass('required');
provinceContainer.removeAttr('data-loading');
provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
} else {
provinceContainer.fadeOut('slow', () => {
const provinceInputValue = getProvinceInputValue($(provinceContainer).find('input').val());
provinceContainer.html((
response.content
.replace('name="sylius_address_province"', `name="${provinceInputFieldName}"${provinceInputValue}`)
.replace('id="sylius_address_province"', `id="${provinceInputFieldId}"`)
));
provinceContainer.removeAttr('data-loading');
provinceContainer.fadeIn('fast', () => {
form.removeClass('loading');
});
});
}
});
});
if (countrySelect.val() !== '') {
countrySelect.trigger('change');
}
if ($.trim($('div.province-container').text()) === '') {
$('select.country-select').trigger('change');
}
const shippingAddressCheckbox = $('input[type="checkbox"][name$="[differentShippingAddress]"]');
const shippingAddressContainer = $('#sylius-shipping-address-container');
const toggleShippingAddress = function toggleShippingAddress() {
shippingAddressContainer.toggle(shippingAddressCheckbox.prop('checked'));
};
toggleShippingAddress();
shippingAddressCheckbox.on('change', toggleShippingAddress);
},
});
- Add new import in
assets/shop/entry.js:
// assets/shop/entry.js
// ...
import './sylius-province-field';
- If you're using Gulp, update your
gulpfile.babel.js:
import chug from 'gulp-chug';
+ import concat from 'gulp-concat';
import gulp from 'gulp';
import yargs from 'yargs';
const { argv } = ...
+ const rootPath = argv.rootPath || 'public/assets';
+
const config = [...];
'--rootPath',
argv.rootPath || '../../../../../../../public/assets',
'--nodeModulesPath',
argv.nodeModulesPath || '../../../../../../../node_modules',
];
...
export const buildShop = ...
+ export const patchShopJs = function patchShopJs() {
+ return gulp.src([
+ `${rootPath}/shop/js/app.js`,
+ 'assets/shop/sylius-province-field.js',
+ ])
+ .pipe(concat('app.js'))
+ .pipe(gulp.dest(`${rootPath}/shop/js`));
+ };
+ patchShopJs.description = 'Append shop security patches to built app.js.';
...
- export const build = gulp.parallel(buildAdmin, buildShop);
+ export const build = gulp.series(
+ gulp.parallel(buildAdmin, buildShop),
+ patchShopJs,
+ );
...
- gulp.task('shop', buildShop);
+ gulp.task('shop', gulp.series(buildShop, patchShopJs));
...
- Rebuild your assets:
yarn build
Acknowledgements
This security issue has been reported by @r2tunes, thank you!
References
- The original advisory: https://github.com/advisories/GHSA-mw82-6m2g-qh6c
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | sylius/sylius | all versions | 1.9.12 |
| 🐘Packagist | sylius/sylius | ≥ 1.10.0-alpha.1&&< 1.10.16 | 1.10.16 |
| 🐘Packagist | sylius/sylius | ≥ 1.11.0-alpha.1&&< 1.11.17 | 1.11.17 |
| 🐘Packagist | sylius/sylius | ≥ 1.12.0-alpha.1&&< 1.12.16 | 1.12.16 |
| 🐘Packagist | sylius/sylius | ≥ 1.13.0-alpha.1&&< 1.13.1 | 1.13.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sylius/sylius. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sylius/sylius to 1.9.12 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7prj-9ccr-hr3q is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7prj-9ccr-hr3q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7prj-9ccr-hr3q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7prj-9ccr-hr3q in your dependencies?
O3 detects GHSA-7prj-9ccr-hr3q across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.