Sylius/SyliusResourceBundle

Sylius/SyliusResourceBundle

Releases179

Frequency3 weeks 5 days

Last Release about 2 months ago

Stars234

Simpler CRUD for Symfony applications

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-15146 ↗	Aug 20, 2020Thursday, 20 August 2020, 01:17	9.6 CRITICAL	6.5 MEDIUM
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.
CVE-2020-15143 ↗	Aug 20, 2020Thursday, 20 August 2020, 01:17	7.7 HIGH	6.5 MEDIUM
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.
CVE-2020-5218 ↗	Jan 27, 2020Monday, 27 January 2020, 21:15	4.4 MEDIUM	4 MEDIUM
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
CVE-2020-5220 ↗	Jan 27, 2020Monday, 27 January 2020, 21:15	4.4 MEDIUM	5 MEDIUM
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 \|\| >=1.3.0 <=1.3.12 \|\| >=1.4.0 <=1.4.5 \|\| >=1.5.0 <=1.5.0 \|\| >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.