{"id":"CVE-2019-12186","details":"An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the \"string\" field type. The contents are an object, with malicious code returned by the __toString() method of that object.","aliases":["GHSA-rc5r-697f-28x6"],"modified":"2026-05-18T17:42:16.230768Z","published":"2019-12-31T15:15:10.957Z","references":[{"type":"ADVISORY","url":"https://sylius.com/blog/cve-2019-12186/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sylius/grid","events":[{"introduced":"b597668a81c70d633dfdee2a6c91a533892cac32"},{"last_affected":"cf48b533ba0ccb13d443c523e08908213cfb8df9"},{"introduced":"0499edaed7aa0db472dc70642f0a2bbd6011b9d3"},{"last_affected":"8b079723b3c3a8b83e7c1dd72532cb2c1c846bb8"},{"introduced":"91a6092f428e3f2d0cf3383a1a60ffc31b296889"},{"last_affected":"f0529b6b7860f655f6f145c51a01d287a138bd10"},{"introduced":"9847f1910e523e3026c30a473dd2e0940565ebf6"},{"last_affected":"5cdf1f69f37ba8e397d4323398b28aa1d3f1ff96"},{"introduced":"a175871969cd1af79ddf7d72b9a04dab1edfa122"},{"last_affected":"4e455f40a3073f34187b5a39630d18042e6311ff"},{"introduced":"0"},{"last_affected":"a423001c8170723d604c40d1ee5d9bca3c59d5d3"}],"database_specific":{"cpe":["cpe:2.3:a:sylius:grid:*:*:*:*:*:*:*:*","cpe:2.3:a:sylius:grid:1.5.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"1.0.0"},{"last_affected":"1.0.18"},{"introduced":"1.1.0"},{"last_affected":"1.1.18"},{"introduced":"1.2.0"},{"last_affected":"1.2.17"},{"introduced":"1.3.0"},{"last_affected":"1.3.12"},{"introduced":"1.4.0"},{"last_affected":"1.4.4"},{"introduced":"0"},{"last_affected":"1.5.0"}]}}],"versions":["v1.5.0","v1.4.4","v1.3.12","v1.2.17","v1.1.18","v1.0.18","v1.0.17","v1.0.16","v1.0.15","v1.0.14","v1.0.13","v1.0.12","v1.0.11","v1.0.10","v1.0.9","v1.0.8","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0-rc.2","v1.0.0-rc.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12186.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"b5920f580e7ffddacdd507161f3cb94a1e7f4ed2"},{"last_affected":"628dff3202029bf95c0c2cb3113ca499732d02d4"},{"introduced":"723c19834562f61167a51a155e575fe3a8d6ae8f"},{"last_affected":"e665888ffa31274043fefd8766137a8ba92e4ccb"},{"introduced":"fe61f5c3aee73754e2e3df0cdc7558237ee0f8aa"},{"last_affected":"75c28267e80787f86f2e1ec2ea127ac1cddb0598"},{"introduced":"18cf8dce6e77e1469999d4959b31df65325d4e1c"},{"last_affected":"59ddfed801f7d3f76cda11e7a2bd16df20ff2708"},{"introduced":"c4bb5174a64c52d3477b97ab6e33078810c005d0"},{"last_affected":"f14460319ca9f71a021e1a816b28b72007d48a03"}],"database_specific":{"cpe":"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"1.0.0"},{"last_affected":"1.0.18"},{"introduced":"1.1.0"},{"last_affected":"1.1.17"},{"introduced":"1.2.0"},{"last_affected":"1.2.16"},{"introduced":"1.3.0"},{"last_affected":"1.3.11"},{"introduced":"1.4.0"},{"last_affected":"1.4.3"}]}}],"versions":["v1.4.3","v1.3.11","v1.4.2","v1.3.10","v1.4.1","v1.3.9","v1.2.16","v1.1.17","v1.4.0","v1.3.8","v1.2.15","v1.3.7","v1.2.14","v1.3.6","v1.2.13","v1.3.5","v1.2.12","v1.1.16","v1.3.4","v1.2.11","v1.3.3","v1.2.10","v1.3.2","v1.2.9","v1.3.1","v1.2.8","v1.1.15","v1.3.0","v1.2.7","v1.1.14","v1.2.6","v1.1.13","v1.2.5","v1.1.12","v1.2.4","v1.1.11","v1.2.3","v1.1.10","v1.0.18","v1.2.2","v1.1.9","v1.0.17","v1.2.1","v1.1.8","v1.2.0","v1.1.7","v1.0.16","v1.1.6","v1.0.15","v1.1.5","v1.0.14","v1.1.4","v1.1.3","v1.0.13","v1.1.2","v1.0.12","v1.1.1","v1.0.11","v1.1.0","v1.0.10","v1.0.9","v1.0.8","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}