Sylius
CVE-2019-16768
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.
AnalysisAI
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-209. In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3. Affected products include: Sylius.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user acco
Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable,
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severi
Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl
Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where conc
Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated
Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitra
Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentica
Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl
Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication r
Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to a
Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today