CVE-2022-24752

CRITICAL

SyliusGridBundle <1.10.1, 1.11-rc2 - SQL Injection

Title source: llm
STIX 2.1

Description

SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory.

References (5)

Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/pull/222
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2

Scores

CVSS v3 9.8
EPSS 0.0134
EPSS Percentile 67.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (3)
sylius/grid-bundle 0 - 1.10.1Packagist
sylius/syliusgridbundle 1.11.0 (4 CPE variants)
sylius/syliusgridbundle < 1.10.1
Published Mar 15, 2022
Tracked Since Feb 18, 2026