CVE-2020-15146

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15146
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15146.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-15146
Aliases
Published
2020-08-20T01:17:12Z
Modified
2024-10-12T06:10:55.705436Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

References

Affected packages

Git / github.com/sylius/syliusresourcebundle

Affected versions

v1.*

v1.1.18
v1.2.17
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6