CVE-2019-12186

Description

Grid component of Sylius omits HTML input sanitisation while rendering object implementing __toString() method through the string field type.

How to fix CVE-2019-12186

To remediate CVE-2019-12186, upgrade the affected package to a fixed version below.

• Packagist/sylius/grid—upgrade to 1.1.19 or later
• —upgrade to 1.1.19 or later
• —upgrade to 1.1.18 or later

Is CVE-2019-12186 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 1.0.0, < 1.1.19
• >= 1.0.0, < 1.1.19
• >= 1.0.0, < 1.1.18

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-12186
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/sylius/grid/CVE-2019-12186.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/CVE-2019-12186.yaml
• WEBsylius.com/blog/cve-2019-12186