Impact
This vulnerability gives the ability to switch channels via the _channel_code
GET parameter in production environments. This was meant to be enabled only when %kernel.debug%
is set to true.
However, if no sylius_channel.debug
is set explicitly in the configuration, the default value which is %kernel.debug%
will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Patches
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Workarounds
Unsupported versions could be patched by adding the following configuration to run in production:
sylius_channel:
debug: false
References
Impact
This vulnerability gives the ability to switch channels via the
_channel_code
GET parameter in production environments. This was meant to be enabled only when%kernel.debug%
is set to true.However, if no
sylius_channel.debug
is set explicitly in the configuration, the default value which is%kernel.debug%
will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.Patches
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Workarounds
Unsupported versions could be patched by adding the following configuration to run in production:
References