Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-prg5-hg25-8grq

GitHub Security Advisory

Ability to switch channels via GET parameter enabled in production environments

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Impact

This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true.

However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

### Patches

Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore.

### Workarounds

Unsupported versions could be patched by adding the following configuration to run in production:

```yaml
sylius_channel:
debug: false
```

Affected Packages

Packagist sylius/sylius
Affected versions: 0 (fixed in 1.3.16)
Packagist sylius/sylius
Affected versions: 1.4.0 (fixed in 1.4.12)
Packagist sylius/sylius
Affected versions: 1.5 (fixed in 1.5.9)
Packagist sylius/sylius
Affected versions: 1.6.0 (fixed in 1.6.5)

Related CVEs

CVE-2020-5218

Key Information

GHSA ID
GHSA-prg5-hg25-8grq
Published
January 31, 2020 6:00 PM
Last Modified
January 8, 2021 8:32 PM
CVSS Score
2.5 /10
Primary Ecosystem
Packagist
Primary Package
sylius/sylius
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.