CVE-2020-5218
MEDIUM4.4EPSS 0.30%Ability to switch channels via GET parameter enabled in production environments
描述
### Impact This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. ### Patches Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore. ### Workarounds Unsupported versions could be patched by adding the following configuration to run in production: ```yaml sylius_channel: debug: false ```
受影響套件(1)
- Packagist/sylius/syliusfrom 0, < 1.3.16
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-5218
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
- WEBhttps://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2
- WEBhttps://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq