Packagist (Composer) package
sylius/resource-bundle
pkg:composer/sylius/resource-bundle
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-15143 | — | >= 1.4.0, < 1.4.7 | 1.4.7 | Aug 19, 2020 | In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that | ||
| CVE-2020-15146 | — | >= 1.4.0, < 1.4.7 | 1.4.7 | Aug 19, 2020 | In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that | ||
| CVE-2020-5220 | — | >= 1.4.0, < 1.4.6 | 1.4.6 | Jan 27, 2020 | Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with |
- CVE-2020-15143Aug 19, 2020affected >= 1.4.0, < 1.4.7fixed 1.4.7
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that
- CVE-2020-15146Aug 19, 2020affected >= 1.4.0, < 1.4.7fixed 1.4.7
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that
- CVE-2020-5220Jan 27, 2020affected >= 1.4.0, < 1.4.6fixed 1.4.6
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with