Sylius v1.3.16

Version Release Notes from January 27, 2020 (about 4 years ago)

« Changelog History

Sylius v1.3.16 Release Notes

Release Date: 2020-01-27 // about 4 years ago

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

⚡️ Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

🔧 However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

↪ Workarounds:

🔧 Unsupported versions could be patched by adding the following configuration to run in production:
```
sylius\_channel: debug: false
```

Awesome PHP is part of the LibHunt network. Terms. Privacy Policy.