Vulnerability Description
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sylius | Sylius | >= 1.3.0, < 1.3.13 |
Related Weaknesses (CWE)
References
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-Third Party Advisory
- https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cPatchThird Party Advisory
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-Third Party Advisory
- https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cPatchThird Party Advisory
FAQ
What is CVE-2020-5218?
CVE-2020-5218 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to ...
How severe is CVE-2020-5218?
CVE-2020-5218 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5218?
Check the references section above for vendor advisories and patch information. Affected products include: Sylius Sylius.