Security Release Notes 201903.0

Last updated: June 16, 2021

Edit on GitHub

The following information pertains to security-related issues that were discovered and resolved.

Issues are listed by description and affected modules.

If you need any additional support with this content, please contact support@spryker.com.

First, two potential vulnerabilities require direct Zed access to be exploitable; it is advised to always secure Zed, review users having access and put Zed into demilitarized zones in your infrastructure perimeter.

Possible Cross-Site Scripting (XSS)

An admin user was able to save raw HTML in product attributes, glossary and user roles management in Zed. Additional filtering has been added.

Affected modules:

ProductAttribute (1.1.2)
ProductAttributeGui (1.2.1)
Glossary (3.5.2)
Acl (3.1.2)

How to get the fix: Just update modules with’

composer update spryker/acl spryker/glossary spryker/product-attribute-gui spryker/product-attribute

Possible Cross-Site Request Forgery (CSRF)

Product attribute forms were missing CSRF form tokens.

Affected module:
ProductAttributeGui (1.1.0)

How to get the fix: Just update modules with

composer update spryker/product-attribute-gui

Potential Clickjacking

The additional header Content-Security-Policy has been added by default.

Affected module:
Application (3.14.0)

How to get the fix: Just update modules with

composer update spryker/application

Default Application Environment

This one is not a security vulnerability, but to prevent fatal mistakes, the default value of APPLICATION_ENV, when it is not passed from the system environment, has been set to production in the Install module.

Affected module:
Install (0.5.1)

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.