293 matches found
CVE-2020-5218
Affected versions of Sylius give attackers the ability to switch channels via the channelcode GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no syliuschannel.debug is set explicitly in the configuration, the default value...
CVE-2019-16768
In affected versions of Sylius, exception messages from internal exceptions like database exception are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible...
Payment Manipulation
Sylius PayPal Plugin is vulnerable to Payment Manipulation. The vulnerability is due to PayPal not receiving updated totals after item quantity changes, allowing attackers to pay less than the actual order value, causing financial losses for merchants...
External Control of Assumed-Immutable Web Parameter
Overview sylius/paypal-plugin is a PayPal plugin for Sylius. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter. The user-input payment amount is not adequately confirmed to be the same between payment completion and order authorization, in...
CVE-2025-30152
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal...
CVE-2025-30152 Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal...
CVE-2025-30152 Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal...
CVE-2025-29788
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...
PayPal Plugin 安全漏洞
PayPal Plugin is an open source plugin for the PayPal commerce platform from Sylius eCommerce. A security vulnerability exists in PayPal Plugin versions prior to 1.6.2, prior to 1.7.2, and prior to 2.0.2, which originates from a user being able to modify the shopping cart after completing the...
External Control of Assumed-Immutable Web Parameter
Overview sylius/paypal-plugin is a PayPal plugin for Sylius. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter. The user-input payment amount is not adequately confirmed to be the same between initial entry and payment completion, in...
CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...
CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...
CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...
CVE-2025-29788
CVE-2025-29788 affects the Sylius PayPal Plugin (Sylius Core Team) for PayPal Commerce. In versions prior to 1.6.1, 1.7.1, and 2.0.1, a vulnerability allows manipulating the final PayPal payment amount when a user changes the item quantity in the cart after initiating PayPal Express Checkout. Pay...
PayPal Plugin 安全漏洞
PayPal Plugin is an open source plugin for the PayPal commerce platform from Sylius eCommerce. A security vulnerability exists in PayPal Plugin versions prior to 1.6.1, prior to 1.7.1, and prior to 2.0.1, which stems from payment amount manipulation and could lead to fraud...
CVE-2024-57610
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intende...
Improper Restriction of Excessive Authentication Attempts
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts due to improper rate limiting mechanism. An attacker can perform repeated login attempts without being restricted...
GHSA-2HJH-495W-HMXC Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts
Withdrawn Advisory This advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references. Original Description A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks ...
CVE-2024-57610
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intende...
CVE-2024-57610
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intende...