CVE-2024-29376 identifies a Cross Site Scripting (XSS) vulnerability in Sylius version 1.12.13, specifically within the 'Province' field of the Address Book functionality. Sylius is an open-source e-commerce platform built on PHP and Symfony, widely used for online store management. The vulnerability stems from insufficient input validation and output encoding of the 'Province' field, allowing an authenticated user with low privileges to inject malicious JavaScript code. This injected script executes in the context of other users who view the affected data, potentially compromising session tokens, cookies, or other sensitive information. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low attack complexity, requires low privileges (authenticated user), and no user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. The impact is limited to confidentiality and integrity, with no direct availability impact. No public exploits or patches are currently available, but the vulnerability is documented and published as of April 22, 2024. CWE-79 classification confirms this is a classic reflected/stored XSS issue. Organizations using Sylius 1.12.13 should be aware of this vulnerability and prepare to apply patches or mitigations once available.

The primary impact of CVE-2024-29376 is the potential compromise of user confidentiality and data integrity within affected Sylius e-commerce platforms. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, which can lead to session hijacking, theft of sensitive information such as personal data or payment details, and unauthorized actions performed on behalf of victims. Although the vulnerability requires authenticated access, many e-commerce platforms allow user registration or have multiple user roles, increasing the attack surface. The lack of user interaction requirement facilitates automated exploitation once credentials are obtained. While availability is not affected, the breach of confidentiality and integrity can severely damage customer trust, lead to regulatory penalties (e.g., GDPR), and cause financial losses. Organizations relying on Sylius 1.12.13 for their online storefronts are at risk of targeted attacks, especially those with high volumes of user interactions and sensitive transactions.

To mitigate CVE-2024-29376, organizations should immediately audit and sanitize all user inputs in the Address Book, especially the 'Province' field, applying strict server-side input validation and output encoding to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. Limit user privileges to the minimum necessary to reduce the risk of exploitation by authenticated users. Monitor logs for suspicious activities related to input fields and user sessions. Since no official patch is currently linked, consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads targeting the vulnerable field. Educate developers on secure coding practices to prevent similar issues. Once an official patch or update from Sylius is released, prioritize its deployment. Additionally, conduct regular security assessments and penetration testing focused on input validation vulnerabilities.