SCA: security update for sylius/sylius (GHSA-6gw4-x63h-5499)

medium Tenable Cloud Security Plugin ID 411449

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email
[email protected], verify it, change it to the mail [email protected] and stay verified and enabled. This
may lead to having accounts addressed to totally different emails, that were verified. Note, that this way
one is not able to take over any existing account (guest or normal one). The issue has been patched in
Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a
custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that
email has been changed if customer email and user username are different. They are synchronized later on.
Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In
order to achieve this, you should either check master request path info, if it does not contain /admin
prefix or adjust event triggered during customer update in the shop. You can find more information on how
to customize the event here. (CVE-2020-15245)

See Also

https://github.com/advisories/GHSA-6gw4-x63h-5499

Plugin Details

Severity: Medium

ID: 411449

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-15245

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2020

Vulnerability Publication Date: 10/19/2020

Reference Information

CVE: CVE-2020-15245