CVE-2022-24752
CRITICALSyliusGridBundle <1.10.1, 1.11-rc2 - SQL Injection
Title source: llmDescription
SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/pull/222
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2
Scores
CVSS v3
9.8
EPSS
0.0134
EPSS Percentile
67.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (3)
sylius/grid-bundle
0 - 1.10.1Packagist
sylius/syliusgridbundle
1.11.0 (4 CPE variants)
sylius/syliusgridbundle
< 1.10.1
Published
Mar 15, 2022
Tracked Since
Feb 18, 2026