Security release notes 202403.0

Last updated: March 26, 2024

Edit on GitHub

The following information pertains to security-related issues that have been recently resolved.

For additional support with this content, contact our support. If you found a new security vulnerability, contact us at security@spryker.com.

Privilege escalation through the “adding users to companies” function

Due to an access controls vulnerability in the “adding users to companies” function, it was possible for attackers with access to the vulnerable functionality of a company to create admin users to another company.

Affected modules

spryker-shop/company-page: 1.0.0 - 2.24.0

Fix the vulnerability

Upgrade the spryker-shop/company-page module to version 2.25.0 or higher:

composer update spryker-shop/company-page
composer show spryker-shop/company-page # Verify the version

User enumeration using response content

When changing the email address, based on the application’s response to a provided email, it was possible to identify whether an account with the provided email existed in the system. This information could be leveraged for attacks like phishing campaigns and password brute forcing.

Affected modules

spryker/user-merchant-portal-gui: 1.0.0 - 2.5.0

Fix the vulnerability

Upgrade the spryker/user-merchant-portal-gui module to version 2.6.0:

composer require spryker/user-merchant-portal-gui:"~2.6.0"
composer show spryker/user-merchant-portal-gui # Verify the version

Create or update src/Pyz/Zed/UserMerchantPortalGui/UserMerchantPortalGuiConfig.php:

<?php

/**
 * Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
 * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
 */

namespace Pyz\Zed\UserMerchantPortalGui;

use Spryker\Zed\UserMerchantPortalGui\UserMerchantPortalGuiConfig as SprykerUserMerchantPortalGuiConfig;

class UserMerchantPortalGuiConfig extends SprykerUserMerchantPortalGuiConfig
{
    /**
     * @var bool
     */
    protected const IS_SECURITY_BLOCKER_FOR_MERCHANT_USER_EMAIL_CHANGING_ENABLED = true;
}

Reauthentication missing from change email functionality

Merchant users were able to change the email of their account without authentication. Requiring reauthentication for sensitive functionalities is an additional protection against attacks targeting the modification of users’ details. These functionalities could be targeted remotely in combination with cross-site request forgery (CSRF) or clickjacking vulnerabilities.

Affected modules

spryker/user-merchant-portal-gui: 1.0.0 - 2.4.0

Introduced changes

Reauthentication was added as an additional protection against attacks targeting the functionality of changing a user’s email.

Fix the vulnerability

Upgrade the spryker/user-merchant-portal-gui module to version 2.5.0:

composer require spryker/user-merchant-portal-gui:"~2.5.0"
composer show spryker/user-merchant-portal-gui # Verify the version

Create or update src/Pyz/Zed/UserMerchantPortalGui/UserMerchantPortalGuiConfig.php:

<?php

/**
 * Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
 * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
 */

namespace Pyz\Zed\UserMerchantPortalGui;

use Spryker\Zed\UserMerchantPortalGui\UserMerchantPortalGuiConfig as SprykerUserMerchantPortalGuiConfig;

class UserMerchantPortalGuiConfig extends SprykerUserMerchantPortalGuiConfig
{
    /**
     * @var bool
     */
    protected const IS_EMAIL_UPDATE_PASSWORD_VERIFICATION_ENABLED = true;
}

Rebuild the Merchant Portal frontend:

console frontend:mp:build.

Rebuild the cache for the Merchant Portal router:

console router:cache:warm-up:merchant-portal

Clear cache:

console cache:empty-all

SameSite attribute added to Storefront and Backoffice cookies

SameSite prevents the browser from sending the cookie along with cross-site requests. This mitigates the risk of cross-origin information leakage. It also provides protection against cross-site request forgery attacks.

Introduced changes

The SameSite attribute was added to the cookies of the Storefront and Backoffice applications.

Fix the vulnerability

Add the following configuration on the project level:

$config[SessionConstants::YVES_SESSION_COOKIE_SAMESITE] = getenv('SPRYKER_YVES_SESSION_COOKIE_SAMESITE') ?: Cookie::SAMESITE_LAX;
$config[SessionConstants::ZED_SESSION_COOKIE_SAMESITE] = getenv('SPRYKER_ZED_SESSION_COOKIE_SAMESITE') ?: Cookie::SAMESITE_STRICT;

Payment provider redirects

If an integrated payment provider needs to perform POST redirect requests, the configuration for Storefront should be as follows:

$config[SessionConstants::YVES_SESSION_COOKIE_SAMESITE] = getenv('SPRYKER_YVES_SESSION_COOKIE_SAMESITE') ?: Cookie::SAMESITE_STRICT;

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.

Security release notes 202403.0

Privilege escalation through the “adding users to companies” function

Affected modules

Fix the vulnerability

User enumeration using response content

Affected modules

Fix the vulnerability

Reauthentication missing from change email functionality

Affected modules

Introduced changes

Fix the vulnerability

SameSite attribute added to Storefront and Backoffice cookies

Introduced changes

Fix the vulnerability

Thank you!