ยซ Changelog History


Sylius v1.3.15 Release Notes

Release Date: 2019-12-05 // over 4 years ago

  • ๐Ÿ‘ป CVE-2019-16768: Internal exception message exposure in login action.

    Details:

    ๐Ÿ‘ป Exception messages from internal exceptions (like database exception) are wrapped by
    ๐Ÿ”’ \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI.
    Therefore, some internal system information may leak and be visible to the customer.

    ๐ŸŒฒ A validation message with the exception details will be presented to the user when one will try to log into the shop.

    Solution:

    ๐Ÿš€ This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
    file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.