CVE-2020-15146

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15146

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15146.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15146

Aliases

GHSA-h6m7-j4h3-9rf5

Published

2020-08-20T01:17:12Z

Modified

2024-06-06T13:06:14.181769Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

References

https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5

Affected packages

Git / github.com/sylius/syliusresourcebundle

Affected ranges

Type: GIT
Repo: https://github.com/sylius/syliusresourcebundle
Events: Introduced

74abc146ad690ec43354d25fec65bd068e849b07

Last affected

624f865f4cfe3ea710d70bdfd615bb2e3fbb7c15

Introduced

1eb55aa25d96e140989464c012f6e1c954f5d223

Last affected

6e46718219cacbae579379b7caf5b5960b9105bb

Introduced

862fbfea9e310646232c97d907b04df9d99b42d4

Last affected

bba7e56ad60d05ce8884e1aa7ac8874abed7ad1f

Affected versions

v1.*

v1.1.18

v1.2.17

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6