Isometriks

**Name of the Vulnerable Software and Affected Versions** SyliusResourceBundle versions prior to 1.3.14 SyliusResourceBundle versions 1.4.0 through 1.4.6 SyliusResourceBundle versions 1.5.0 through 1.5.1 SyliusResourceBundle versions 1.6.0 through 1.6.3 **Description** The issue arises from request parameters not being sanitized properly when injected inside an expression evaluated by the `symfony/expression-language` package. This allows an attacker to access any public service by manipulating the request parameter, potentially leading to Remote Code Execution. For example, in a routing definition like "foo: path: /foo/{id}", the `$id` parameter can be manipulated to call other services. Visiting a URL like `/foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"` can result in the execution of a query on the currently connected database. **Recommendations** For SyliusResourceBundle versions prior to 1.3.14, update to version 1.3.14 or later. For SyliusResourceBundle versions 1.4.0 through 1.4.6, update to version 1.4.7 or later. For SyliusResourceBundle versions 1.5.0 through 1.5.1, update to version 1.5.2 or later. For SyliusResourceBundle versions 1.6.0 through 1.6.3, update to version 1.6.4 or later. As a temporary workaround, consider adding `addslashes` in `ParametersParser::parseRequestValueExpression` to sanitize user input before evaluating it using the expression language.

**Name of the Vulnerable Software and Affected Versions** SyliusResourceBundle versions prior to 1.3.14 SyliusResourceBundle versions 1.4.0 through 1.4.6 SyliusResourceBundle versions 1.5.0 through 1.5.1 SyliusResourceBundle versions 1.6.0 through 1.6.3 **Description** The issue arises from request parameters not being sanitized properly when injected inside an expression evaluated by the `symfony/expression-language` package. This allows an attacker to access any public service by manipulating the request parameter, potentially leading to Remote Code Execution. In a specific example, visiting a route with a specially crafted `id` parameter, such as `/route?id="~service('doctrine').getManager().getConnection().executeQuery('DELETE * FROM TABLE')~"`, can result in the execution of a query on the currently connected database. To identify this issue in an application, look for routing definitions that use request parameters inside the expression language. **Recommendations** For SyliusResourceBundle versions prior to 1.3.14, update to version 1.3.14 or later. For SyliusResourceBundle versions 1.4.0 through 1.4.6, update to version 1.4.7 or later. For SyliusResourceBundle versions 1.5.0 through 1.5.1, update to version 1.5.2 or later. For SyliusResourceBundle versions 1.6.0 through 1.6.3, update to version 1.6.4 or later. As a temporary workaround, consider adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language.