Lucene search
GoogleOSV:GHSA-PRG5-HG25-8GRQHistoryJan 31, 2020 - 6:00 p.m.
Ability to switch channels via GET parameter enabled in production environments
2020-01-3118:00:58
Google
osv.dev
5
0.001 Low
EPSS
Percentile
31.1%
Impact
This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.
However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Patches
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Workarounds
Unsupported versions could be patched by adding the following configuration to run in production:
sylius_channel:
debug: false
Related
osv
osv
Ability to expose data in Sylius by using an unintended serialisation group
2020-01-31 18:00:43
CVE-2020-5220
2020-01-27 21:15:11
CVE-2020-5218
2020-01-27 21:15:11
veracode
veracode
Information Disclosure
2020-01-28 04:34:18
Unauthorized Channel Switching
2020-02-03 13:16:05
prion
prion
Design/Logic Flaw
2020-01-27 21:15:00
Design/Logic Flaw
2020-01-27 21:15:00
friendsofphp
friendsofphp
nvd
nvd
CVE-2020-5220
2020-01-27 21:15:11
CVE-2020-5218
2020-01-27 21:15:11
github
github
cve
cve
CVE-2020-5220
2020-01-27 21:15:11
CVE-2020-5218
2020-01-27 21:15:11
cvelist
cvelist