Information Exposure

Affecting sylius/sylius package, versions <1.3.14 || >=1.4, <1.4.10 || >=1.5, <1.5.7 || >=1.6, <1.6.3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

sylius/sylius is a platform for PHP, based on Symfony framework.

Affected versions of this package are vulnerable to Information Exposure. Exception messages from internal exceptions are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI allowing users to see system information.

A validation message with the exception details will be presented to the user when one will try to log into the shop.

Remediation

Upgrade sylius/sylius to version 1.3.14, 1.4.10, 1.5.7, 1.6.3 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2019-16768
CWE
CWE-200
Snyk ID
SNYK-PHP-SYLIUSSYLIUS-536839
Disclosed
05 Dec, 2019
Published
05 Dec, 2019