Vulnerabilities (CVE)

Filtered by vendor Sylius Subscribe

Filtered by product Syliusresourcebundle

CVSS v3 Filter

ALL

NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 1 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2020-5220	1 Sylius	1 Syliusresourcebundle	2020-02-04	5.0 MEDIUM	5.3 MEDIUM
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 \|\| >=1.3.0 <=1.3.12 \|\| >=1.4.0 <=1.4.5 \|\| >=1.5.0 <=1.5.0 \|\| >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.