Description
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.
References (2)
Core 2
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h
Release Notes x_refsource_misc
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f
Scores
CVSS v3
3.5
EPSS
0.0075
EPSS Percentile
50.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-209
Status
published
Products (2)
sylius/sylius
< 1.3.14
sylius/sylius
0 - 1.3.14Packagist
Published
Dec 05, 2019
Tracked Since
Feb 18, 2026