CVE-2020-15245 – Email verification bypass in Sylius

https://notcve.org/view.php?id=CVE-2020-15245

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. • https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •