CVE-2020-15245
Email verification bypass in Sylius
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
En Sylius versiones anteriores a 1.6.9, 1.7.9 y 1.8.3, el usuario puede registrarse en una tienda mediante el correo electrónico mail@example.com, verificarlo, cambiarlo al correo another@domain.com y permanecer verificado y habilitado. Esto puede conllevar a tener cuentas dirigidas a correos electrónicos totalmente diferentes, que fueron verificados. Tome en cuenta que de esta manera uno no es capaz de tomar el control de ninguna cuenta existente (de invitado o normal). El problema ha sido parcheado en Sylius versiones 1.6.9, 1.7.9 y 1.8.3. Como solución alternativa, puede resolver este problema por su cuenta mediante la creación de un detector de eventos personalizado, que escuchará el evento sylius.customer.pre_update. Puede determinar que el correo electrónico ha sido cambiado si el correo electrónico del cliente y el nombre de usuario son diferentes. Estos se sincronizan más tarde. Preste atención al comportamiento cambiante del correo electrónico para los administradores. Puede necesitar omitir esta lógica para ellos. En función de lograr esto, debe comprobar la información de la ruta de petición maestra, si no contiene el prefijo /admin o ajustar el evento activado durante la actualización del cliente en la tienda. Puede encontrar más información sobre cómo personalizar el evento aquí
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-10-19 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499 | Mitigation |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf | 2021-11-18 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sylius Search vendor "Sylius" | Sylius Search vendor "Sylius" for product "Sylius" | < 1.6.9 Search vendor "Sylius" for product "Sylius" and version " < 1.6.9" | - |
Affected
| ||||||
| Sylius Search vendor "Sylius" | Sylius Search vendor "Sylius" for product "Sylius" | >= 1.7.0 < 1.7.9 Search vendor "Sylius" for product "Sylius" and version " >= 1.7.0 < 1.7.9" | - |
Affected
| ||||||
| Sylius Search vendor "Sylius" | Sylius Search vendor "Sylius" for product "Sylius" | >= 1.8.0 < 1.8.3 Search vendor "Sylius" for product "Sylius" and version " >= 1.8.0 < 1.8.3" | - |
Affected
| ||||||