CVE-2020-5218

Description

### Impact This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. ### Patches Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore. ### Workarounds Unsupported versions could be patched by adding the following configuration to run in production: ```yaml sylius_channel: debug: false ```

How to fix CVE-2020-5218

To remediate CVE-2020-5218, upgrade the affected package to a fixed version below.

• —upgrade to 1.3.16 or later

Is CVE-2020-5218 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.3.16

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5218
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
• WEBgithub.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2
• WEBgithub.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq