admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2020-15245 for GHSA-6gw4-x63h-5499

Browse Source
This commit is contained in:
Andre Eleuterio 2020-10-19 17:47:21 -03:00
parent 0ba49e0dec
commit cfe46144fd
No known key found for this signature in database
GPG Key ID: 12DE2AB117B34D6F
1 changed files with 76 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
2020/15xxx/CVE-2020-15245.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15245",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Email verification bypass in Sylius"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sylius",
"version": {
"version_data": [
{
"version_value": ">= 9.0.0, < 9.4.4"
}
]
}
}
]
},
"vendor_name": "Sylius"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one).\n\nThe issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499",
"refsource": "CONFIRM",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499"
},
{
"name": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf",
"refsource": "MISC",
"url": "https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf"
}
]
},
"source": {
"advisory": "GHSA-6gw4-x63h-5499",
"discovery": "UNKNOWN"
}
}