{"id":"CVE-2019-12186","details":"An issue was discovered in Sylius products. Missing input sanitization in sylius/sylius 1.0.x through 1.0.18, 1.1.x through 1.1.17, 1.2.x through 1.2.16, 1.3.x through 1.3.11, and 1.4.x through 1.4.3 and sylius/grid 1.0.x through 1.0.18, 1.1.x through 1.1.18, 1.2.x through 1.2.17, 1.3.x through 1.3.12, 1.4.x through 1.4.4, and 1.5.0 allows an attacker (an admin in the sylius/sylius case) to perform XSS by injecting malicious code into a field displayed in a grid with the \"string\" field type. The contents are an object, with malicious code returned by the __toString() method of that object.","aliases":["GHSA-rc5r-697f-28x6"],"modified":"2026-04-10T04:15:29.493570Z","published":"2019-12-31T15:15:10.957Z","references":[{"type":"ADVISORY","url":"https://sylius.com/blog/cve-2019-12186/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sylius/grid","events":[{"introduced":"b597668a81c70d633dfdee2a6c91a533892cac32"},{"last_affected":"cf48b533ba0ccb13d443c523e08908213cfb8df9"},{"introduced":"0499edaed7aa0db472dc70642f0a2bbd6011b9d3"},{"last_affected":"8b079723b3c3a8b83e7c1dd72532cb2c1c846bb8"},{"introduced":"91a6092f428e3f2d0cf3383a1a60ffc31b296889"},{"last_affected":"f0529b6b7860f655f6f145c51a01d287a138bd10"},{"introduced":"9847f1910e523e3026c30a473dd2e0940565ebf6"},{"last_affected":"5cdf1f69f37ba8e397d4323398b28aa1d3f1ff96"},{"introduced":"a175871969cd1af79ddf7d72b9a04dab1edfa122"},{"last_affected":"4e455f40a3073f34187b5a39630d18042e6311ff"},{"introduced":"0"},{"last_affected":"a423001c8170723d604c40d1ee5d9bca3c59d5d3"},{"introduced":"b597668a81c70d633dfdee2a6c91a533892cac32"},{"last_affected":"cf48b533ba0ccb13d443c523e08908213cfb8df9"},{"introduced":"0499edaed7aa0db472dc70642f0a2bbd6011b9d3"},{"last_affected":"d707c22d6d3a2234045db7b389aa74f7affc6003"},{"introduced":"91a6092f428e3f2d0cf3383a1a60ffc31b296889"},{"last_affected":"22b919cad4b550f747cca4ad6991437ae6187e7f"},{"introduced":"9847f1910e523e3026c30a473dd2e0940565ebf6"},{"last_affected":"2bca782509c1cdf35337295dd18b90e35c2421a2"},{"introduced":"a175871969cd1af79ddf7d72b9a04dab1edfa122"},{"last_affected":"a175871969cd1af79ddf7d72b9a04dab1edfa122"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"last_affected":"1.0.18"},{"introduced":"1.1.0"},{"last_affected":"1.1.18"},{"introduced":"1.2.0"},{"last_affected":"1.2.17"},{"introduced":"1.3.0"},{"last_affected":"1.3.12"},{"introduced":"1.4.0"},{"last_affected":"1.4.4"},{"introduced":"0"},{"last_affected":"1.5.0"},{"introduced":"1.0.0"},{"last_affected":"1.0.18"},{"introduced":"1.1.0"},{"last_affected":"1.1.17"},{"introduced":"1.2.0"},{"last_affected":"1.2.16"},{"introduced":"1.3.0"},{"last_affected":"1.3.11"},{"introduced":"1.4.0"},{"last_affected":"1.4.3"}]}}],"versions":["v1.0.0","v1.0.0-rc.1","v1.0.0-rc.2","v1.0.1","v1.0.10","v1.0.11","v1.0.12","v1.0.13","v1.0.14","v1.0.15","v1.0.16","v1.0.17","v1.0.18","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.10","v1.1.11","v1.1.12","v1.1.13","v1.1.14","v1.1.15","v1.1.17","v1.1.18","v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v1.1.8","v1.1.9","v1.2.0","v1.2.0-RC","v1.2.1","v1.2.10","v1.2.11","v1.2.12","v1.2.13","v1.2.14","v1.2.15","v1.2.16","v1.2.17","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.3.0","v1.3.0-BETA","v1.3.1","v1.3.10","v1.3.11","v1.3.12","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}