Sylius is vulnerable to unauthorised channel switching. The vulnerability exists even when kernel.debug
is not set to true, the channels can be switched by providing the _channel_code
GET parameter in production environments.
github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.3.md
github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.4.md
github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.5.md
github.com/Sylius/Sylius/blob/b73fd34c46a9e6091025eb9dc866000b50b06fe2/CHANGELOG-1.6.md
github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq
github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2