CVE-2022-24733

MEDIUM6.1EPSS 0.29%

Improper Restriction of Rendered UI Layers or Frames in Sylius

Published: 3/14/2022Modified: 11/8/2023

Description

### Impact It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker ### Patches The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above. ### Workarounds Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app. ```php <?php // src/EventListener/XFrameOptionsSubscriber.php namespace App\EventListener final class XFrameOptionsSubscriber implements EventSubscriberInterface { public static function getSubscribedEvents(): array { return [ KernelEvents::RESPONSE => 'onKernelResponse', ]; } public function onKernelResponse(ResponseEvent $event): void { if (!$this->isMainRequest($event)) { return; } $response = $event->getResponse(); $response->headers->set('X-Frame-Options', 'sameorigin'); } private function isMainRequest(ResponseEvent $event): bool { if (\method_exists($event, 'isMainRequest')) { return $event->isMainRequest(); } return $event->isMasterRequest(); } } ``` And register it in the container: ```yaml # config/services.yaml services: # ... App\EventListener\XFrameOptionsSubscriber: tags: ['kernel.event_subscriber'] ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at [[email protected]](mailto:[email protected])

Affected packages (1)

Packagist/sylius/syliusfrom 0, < 1.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Affected packages (1)

CVSS scores

References (6)