CVE-2020-5218
MEDIUM4.4EPSS 0.30%Ability to switch channels via GET parameter enabled in production environments
Description
### Impact This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. ### Patches Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore. ### Workarounds Unsupported versions could be patched by adding the following configuration to run in production: ```yaml sylius_channel: debug: false ```
Affected packages (1)
- Packagist/sylius/syliusfrom 0, < 1.3.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-5218
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
- WEBhttps://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2
- WEBhttps://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq