GHSA-6gw4-x63h-5499

Source

https://github.com/advisories/GHSA-6gw4-x63h-5499

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-6gw4-x63h-5499/GHSA-6gw4-x63h-5499.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6gw4-x63h-5499

Aliases

CVE-2020-15245

Published

2020-10-19T20:40:59Z

Modified

2024-02-06T13:46:13.809821Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Ability to switch customer email address on account detail page and stay verified

Details

Impact

The user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one).

Patches

Patch has been provided for Sylius 1.6.x and newer - 1.6.9, 1.7.9, 1.8.3. Versions older than 1.6 are not covered by our security support anymore.

Workarounds

If for whatever reason you are not able to upgrade your application version, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

Acknowledgements

This security issue has been reported by Mircea Silviu (@decemvre), thanks a lot!

For more information

If you have any questions or comments about this advisory: * Email us at security@sylius.com

Database specific

{
    "nvd_published_at": "2020-10-19T21:15:00Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-19T20:40:50Z"
}

References

Affected packages

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.7.9

Affected versions

v1.*

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.8.0

Fixed

1.8.3

Affected versions

v1.*

v1.8.0

v1.8.1

v1.8.2

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.6.9

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.1.0-RC

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.18

v1.2.0-BETA

v1.2.0-RC

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.3.0-BETA

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.4.0-BETA.1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.4.10

v1.4.11

v1.4.12

v1.5.0-RC.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6.0-ALPHA.1

v1.6.0-ALPHA.2

v1.6.0-RC.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8