Sylius v1.4.11 Release Notes
Release Date: 2019-12-05 // over 4 years ago-
👻 CVE-2019-16768: Internal exception message exposure in login action.
Details:
👻 Exception messages from internal exceptions (like database exception) are wrapped by
🔒\Symfony\Component\Security\Core\Exception\AuthenticationServiceException
and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.🌲 A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
🚀 This release patches the reported vulnerability. The
src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and{{ messages.error(last_error.message) }}
changed to{{ messages.error(last_error.messageKey) }}
.