CVE-2024-29376: Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book

May 10, 2024 (updated March 9, 2026)

There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.

References

github.com/Sylius/Sylius
github.com/Sylius/Sylius/commit/fb0ecb275747e364f1d4744ed8605c57f9bd8a80
github.com/Sylius/Sylius/security/advisories/GHSA-7prj-9ccr-hr3q
github.com/advisories/GHSA-7prj-9ccr-hr3q
github.com/r2tunes/Reports/blob/main/Sylius.md
nvd.nist.gov/vuln/detail/CVE-2024-29376

Code Behaviors & Features

Detect and mitigate CVE-2024-29376 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →