Unauthorized Channel Switching

2020-02-0313:16:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.001 Low

EPSS

Percentile

19.6%

JSON

Sylius is vulnerable to unauthorised channel switching. The vulnerability exists even when kernel.debug is not set to true, the channels can be switched by providing the _channel_code GET parameter in production environments.

CPENameOperatorVersion
sylius/syliusle1.4.11
sylius/syliusle1.6.4
sylius/syliusle1.5.8
sylius/syliusle1.3.15

Name	Operator	Version
sylius/sylius	le	1.4.11
sylius/sylius	le	1.6.4
sylius/sylius	le	1.5.8
sylius/sylius	le	1.3.15

References

github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml

github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.3.md

github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.4.md

github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.5.md

github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.6.md

github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq

github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2

0.001 Low

EPSS

Percentile

19.6%

JSON

Related for VERACODE:22449