Your RSA-2048 keys break in 2030. Find every one of them before attackers do.See CBOMkit
🐘 Packagist
GHSA-v2f9-rv6w-vw8r
MEDIUMSylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
Also known asCVE-2024-34349
Published
May 10, 2024
Updated
Mar 9, 2026
Affected
5 pkgs
Patched
5 / 5
Exploits
None indexed
EPSS Exploitation Probability
0.4%probability of exploitation in next 30 days
Lower Risk35th percentile+0.37%
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
🐘
sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/sylius🐘sylius/syliusReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.16, 1.13.1 and above.
Workarounds
- Create a new file
assets/admin/sylius-lazy-choice-tree.js:
// assets/admin/sylius-lazy-choice-tree.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
const createRootContainer = function createRootContainer() {
return $('<div class="ui list"></div>');
};
const createLeafContainerElement = function createLeafContainerElement() {
return $('<div class="list"></div>');
};
const createLeafIconElement = function createLeafIconElement() {
return $('<i class="folder icon"></i>');
};
const createLeafTitleElement = function createLeafTitleElement() {
return $('<div class="header"></div>');
};
const createLeafTitleSpan = function createLeafTitleSpan(displayName) {
return $(`<span style="margin-right: 5px; cursor: pointer;">${displayName}</span>`);
};
const createLeafContentElement = function createLeafContentElement() {
return $('<div class="content"></div>');
};
$.fn.extend({
choiceTree(type, multiple, defaultLevel) {
const tree = this;
const loader = tree.find('.dimmer');
const loadedLeafs = [];
const $input = tree.find('input[type="hidden"]');
const createCheckboxElement = function createCheckboxElement(name, code, multi) {
const chosenNodes = $input.val().split(',');
let checked = '';
if (chosenNodes.some(chosenCode => chosenCode === code)) {
checked = 'checked="checked"';
}
if (multi) {
return $(`<div class="ui checkbox" data-value="${code}"><input ${checked} type="checkbox" name="${type}"></div>`);
}
return $(`<div class="ui radio checkbox" data-value="${code}"><input ${checked} type="radio" name="${type}"></div>`);
};
const isLeafLoaded = function isLeafLoaded(code) {
return loadedLeafs.some(leafCode => leafCode === code);
};
let createLeafFunc;
const loadLeafAction = function loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement) {
icon.toggleClass('open');
if (!isLeafLoaded(parentCode)) {
expandButton.api({
on: 'now',
url: tree.data('tree-leafs-url') || tree.data('taxon-leafs-url'),
method: 'GET',
cache: false,
data: {
parentCode,
},
beforeSend(settings) {
loader.addClass('active');
return settings;
},
onSuccess(response) {
response.forEach((leafNode) => {
leafContainerElement.append((
createLeafFunc(sanitizeInput(leafNode.name), leafNode.code, leafNode.hasChildren, multiple, leafNode.level)
));
});
content.append(leafContainerElement);
loader.removeClass('active');
loadedLeafs.push(parentCode);
leafContainerElement.toggle();
},
});
}
leafContainerElement.toggle();
};
const bindExpandLeafAction = function bindExpandLeafAction(parentCode, expandButton, content, icon, level) {
const leafContainerElement = createLeafContainerElement();
if (defaultLevel > level) {
loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
}
expandButton.click(() => {
loadLeafAction(parentCode, expandButton, content, icon, leafContainerElement);
});
};
const bindCheckboxAction = function bindCheckboxAction(checkboxElement) {
checkboxElement.checkbox({
onChecked() {
const { value } = checkboxElement[0].dataset;
const checkedValues = $input.val().split(',').filter(Boolean);
checkedValues.push(value);
$input.val(checkedValues.join());
},
onUnchecked() {
const { value } = checkboxElement[0].dataset;
const checkedValues = $input.val().split(',').filter(Boolean);
const i = checkedValues.indexOf(value);
if (i !== -1) {
checkedValues.splice(i, 1);
}
$input.val(checkedValues.join());
},
});
};
const createLeaf = function createLeaf(name, code, hasChildren, multipleChoice, level) {
const displayNameElement = createLeafTitleSpan(name);
const titleElement = createLeafTitleElement();
const iconElement = createLeafIconElement();
const checkboxElement = createCheckboxElement(name, code, multipleChoice);
bindCheckboxAction(checkboxElement);
const leafElement = $('<div class="item"></div>');
const leafContentElement = createLeafContentElement();
leafElement.append(iconElement);
titleElement.append(displayNameElement);
titleElement.append(checkboxElement);
leafContentElement.append(titleElement);
if (!hasChildren) {
iconElement.addClass('outline');
}
if (hasChildren) {
bindExpandLeafAction(code, displayNameElement, leafContentElement, iconElement, level);
}
leafElement.append(leafContentElement);
return leafElement;
};
createLeafFunc = createLeaf;
tree.api({
on: 'now',
method: 'GET',
url: tree.data('tree-root-nodes-url') || tree.data('taxon-root-nodes-url'),
cache: false,
beforeSend(settings) {
loader.addClass('active');
return settings;
},
onSuccess(response) {
const rootContainer = createRootContainer();
response.forEach((rootNode) => {
rootContainer.append((
createLeaf(sanitizeInput(rootNode.name), rootNode.code, rootNode.hasChildren, multiple, rootNode.level)
));
});
tree.append(rootContainer);
loader.removeClass('active');
},
});
},
});
- Create new file
assets/admin/sylius-auto-complete.js:
// assets/admin/sylius-auto-complete.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
$.fn.extend({
autoComplete() {
this.each((idx, el) => {
const element = $(el);
const criteriaName = element.data('criteria-name');
const choiceName = element.data('choice-name');
const choiceValue = element.data('choice-value');
const autocompleteValue = element.find('input.autocomplete').val();
const loadForEditUrl = element.data('load-edit-url');
element.dropdown({
delay: {
search: 250,
},
forceSelection: false,
saveRemoteData: false,
verbose: true,
apiSettings: {
dataType: 'JSON',
cache: false,
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data[criteriaName] = settings.urlData.query;
return settings;
},
onResponse(response) {
let results = response.map(item => ({
name: sanitizeInput(item[choiceName]),
value: sanitizeInput(item[choiceValue]),
}));
if (!element.hasClass('multiple')) {
results.unshift({
name: ' ',
value: '',
});
}
return {
success: true,
results: results,
};
},
},
});
if (autocompleteValue.split(',').filter(String).length > 0) {
const menuElement = element.find('div.menu');
menuElement.api({
on: 'now',
method: 'GET',
url: loadForEditUrl,
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data[choiceValue] = autocompleteValue.split(',').filter(String);
return settings;
},
onSuccess(response) {
response.forEach((item) => {
menuElement.append((
$(`<div class="item" data-value="${item[choiceValue]}">${sanitizeInput(item[choiceName])}</div>`)
));
});
element.dropdown('refresh');
element.dropdown('set selected', element.find('input.autocomplete').val().split(',').filter(String));
},
});
}
});
},
});
- Create new file
assets/admin/sylius-product-auto-complete.js:
// assets/admin/sylius-product-auto-complete.js
function sanitizeInput(input) {
const div = document.createElement('div');
div.textContent = input;
return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
}
$.fn.extend({
productAutoComplete() {
this.each((index, element) => {
const $element = $(element);
$element.dropdown('set selected', $element.find('input[name*="[associations]"]').val().split(',').filter(String));
});
this.dropdown({
delay: {
search: 250,
},
forceSelection: false,
apiSettings: {
dataType: 'JSON',
cache: false,
data: {
criteria: { search: { type: 'contains', value: '' } },
},
beforeSend(settings) {
/* eslint-disable-next-line no-param-reassign */
settings.data.criteria.search.value = settings.urlData.query;
return settings;
},
onResponse(response) {
return {
success: true,
results: response._embedded.items.map(item => ({
name: sanitizeInput(item.name),
value: sanitizeInput(item.code),
})),
};
},
},
onAdd(addedValue, addedText, $addedChoice) {
const inputAssociation = $addedChoice.parents('.product-select').find('input[name*="[associations]"]');
const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];
associatedProductCodes.push(addedValue);
$.unique(associatedProductCodes.sort());
inputAssociation.attr('value', associatedProductCodes.join());
},
onRemove(removedValue, removedText, $removedChoice) {
const inputAssociation = $removedChoice.parents('.product-select').find('input[name*="[associations]"]');
const associatedProductCodes = inputAssociation.val().length > 0 ? inputAssociation.val().split(',').filter(String) : [];
associatedProductCodes.splice($.inArray(removedValue, associatedProductCodes), 1);
inputAssociation.attr('value', associatedProductCodes.join());
},
});
},
});
- Add new import in
assets/admin/entry.js:
// assets/admin/entry.js
// ...
import './sylius-lazy-choice-tree';
import './sylius-auto-complete';
import './sylius-product-auto-complete';
- If you're using Gulp, update your
gulpfile.babel.js:
import chug from 'gulp-chug';
+ import concat from 'gulp-concat';
import gulp from 'gulp';
import yargs from 'yargs';
const { argv } = ...
+ const rootPath = argv.rootPath || 'public/assets';
+
const config = [...];
'--rootPath',
argv.rootPath || '../../../../../../../public/assets',
'--nodeModulesPath',
argv.nodeModulesPath || '../../../../../../../node_modules',
];
export const buildAdmin = ...
+ export const patchAdminJs = function patchAdminJs() {
+ return gulp.src([
+ `${rootPath}/admin/js/app.js`,
+ 'assets/admin/sylius-auto-complete.js',
+ 'assets/admin/sylius-product-auto-complete.js',
+ 'assets/admin/sylius-lazy-choice-tree.js',
+ ])
+ .pipe(concat('app.js'))
+ .pipe(gulp.dest(`${rootPath}/admin/js`));
+ };
+ patchAdminJs.description = 'Append admin security patches to built app.js.';
...
- export const build = gulp.parallel(buildAdmin, buildShop);
+ export const build = gulp.series(
+ gulp.parallel(buildAdmin, buildShop),
+ patchAdminJs,
+ );
...
- gulp.task('admin', buildAdmin);
+ gulp.task('admin', gulp.series(buildAdmin, patchAdminJs));
...
- Rebuild your assets:
yarn build
Acknowledgements
This security issue has been reported by Checkmarx Research Group, thank you!
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
Affected Packages
5 total 5 fixed
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | sylius/sylius | all versions | 1.9.12 |
| 🐘Packagist | sylius/sylius | ≥ 1.10.0-alpha.1&&< 1.10.16 | 1.10.16 |
| 🐘Packagist | sylius/sylius | ≥ 1.11.0-alpha.1&&< 1.11.17 | 1.11.17 |
| 🐘Packagist | sylius/sylius | ≥ 1.12.0-alpha.1&&< 1.12.16 | 1.12.16 |
| 🐘Packagist | sylius/sylius | ≥ 1.13.0-alpha.1&&< 1.13.1 | 1.13.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sylius/sylius. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sylius/sylius to 1.9.12 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v2f9-rv6w-vw8r is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-v2f9-rv6w-vw8r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-v2f9-rv6w-vw8r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
### Impact
There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into `Name` field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.
### Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.16, 1.13.1 and above.
### Workarounds
1. Create a new file `assets/admin/sylius-lazy-choice-tree.js`:
```js
// asset
O3 Security · Impact-Aware SCA
Is GHSA-v2f9-rv6w-vw8r in your dependencies?
O3 detects GHSA-v2f9-rv6w-vw8r across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.