CVE-2020-15245

EPSS 0.17%
Veröffentlicht 19.10.2020 21:15:12
Zuletzt bearbeitet 21.11.2024 05:05:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sylius ≫ Sylius Version < 1.6.9

Sylius ≫ Sylius Version >= 1.7.0 < 1.7.9

Sylius ≫ Sylius Version >= 1.8.0 < 1.8.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.355

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf

Patch

Third Party Advisory

https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499

Third Party Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2020-15245

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15245

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15245

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-15245