QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24752

Published: Mar 15, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.

Vendor	Product	Versions
Sylius	SyliusGridBundle	affected `< 1.10.1` affected `1.11-alpha, <= 1.11-rc`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439

x_refsource_CONFIRM

https://github.com/Sylius/SyliusGridBundle/pull/222

x_refsource_MISC

https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784

x_refsource_MISC

https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1

x_refsource_MISC

https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.