Access Restriction Bypass Affecting sylius/sylius package, versions <1.6.9>=1.7.0, <1.7.9>=1.8.0, <1.8.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (20th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Restriction Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-SYLIUSSYLIUS-1019461
  • published20 Oct 2020
  • disclosed20 Oct 2020
  • creditMircea Silviu

Introduced: 20 Oct 2020

CVE-2020-15245  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade sylius/sylius to version 1.6.9, 1.7.9, 1.8.3 or higher.

Overview

sylius/sylius is a platform for PHP, based on Symfony framework.

Affected versions of this package are vulnerable to Access Restriction Bypass. A user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified.

References

CVSS Scores

version 3.1