CVE-2020-15245 Information

Description

In Sylius before versions 1.6.9 1.7.9 and 1.8.3 the user may register in a shop by email mail@example.com verify it change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails that were verified. Note that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9 1.7.9 and 1.8.3. As a workaround you may resolve this issue on your own by creating a custom event listener which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this you should either check master request path info if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Reference

https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecaf https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

4.3