CVE-2022-24733

描述

### Impact It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker ### Patches The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above. ### Workarounds Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app. ```php <?php // src/EventListener/XFrameOptionsSubscriber.php namespace App\EventListener final class XFrameOptionsSubscriber implements EventSubscriberInterface { public static function getSubscribedEvents(): array { return [ KernelEvents::RESPONSE => 'onKernelResponse', ]; } public function onKernelResponse(ResponseEvent $event): void { if (!$this->isMainRequest($event)) { return; } $response = $event->getResponse(); $response->headers->set('X-Frame-Options', 'sameorigin'); } private function isMainRequest(ResponseEvent $event): bool { if (\method_exists($event, 'isMainRequest')) { return $event->isMainRequest(); } return $event->isMasterRequest(); } } ``` And register it in the container: ```yaml # config/services.yaml services: # ... App\EventListener\XFrameOptionsSubscriber: tags: ['kernel.event_subscriber'] ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at [[email protected]](mailto:[email protected])

受影響套件(1)

• Packagist/sylius/syliusfrom 0, < 1.9.10

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24733
• PATCHhttps://github.com/Sylius/Sylius
• WEBhttps://github.com/Sylius/Sylius/releases/tag/v1.10.11
• WEBhttps://github.com/Sylius/Sylius/releases/tag/v1.11.2
• WEBhttps://github.com/Sylius/Sylius/releases/tag/v1.9.10
• WEBhttps://github.com/Sylius/Sylius/security/advisories/GHSA-4jp3-q2qm-9fmw