← Volver a CVEs
CVE-2022-24752
CRITICAL9.8
Descripcion
SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/15/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
sylius:syliusgridbundle
Debilidades (CWE)
CWE-89
Referencias
https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784(security-advisories@github.com)
https://github.com/Sylius/SyliusGridBundle/pull/222(security-advisories@github.com)
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1(security-advisories@github.com)
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2(security-advisories@github.com)
https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439(security-advisories@github.com)
https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Sylius/SyliusGridBundle/pull/222(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.