Skip to content

Ability to switch channels via GET parameter enabled in production environments

Low severity GitHub Reviewed Published Jan 27, 2020 in Sylius/Sylius • Updated Jan 9, 2023

Package

composer sylius/sylius (Composer)

Affected versions

< 1.3.16
>= 1.4.0, < 1.4.12
>= 1.5, < 1.5.9
>= 1.6.0, < 1.6.5

Patched versions

1.3.16
1.4.12
1.5.9
1.6.5

Description

Impact

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

References

@pamil pamil published to Sylius/Sylius Jan 27, 2020
Reviewed Jan 27, 2020
Published to the GitHub Advisory Database Jan 31, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.050%
(21st percentile)

Weaknesses

CVE ID

CVE-2020-5218

GHSA ID

GHSA-prg5-hg25-8grq

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.