CVE-2019-16768

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.3.14 Sylius versions prior to 1.4.10 Sylius versions prior to 1.5.7 Sylius versions prior to 1.6.3

Description In affected versions of Sylius, exception messages from internal exceptions, such as database exceptions, are wrapped by SymfonyComponentSecurityCoreExceptionAuthenticationServiceException and propagated through the system to the UI. This may cause some internal system information to leak and be visible to the customer. A validation message with the exception details will be presented to the user when they try to log into the shop.

Recommendations For Sylius versions prior to 1.3.14, update to version 1.3.14 or later. For Sylius versions prior to 1.4.10, update to version 1.4.10 or later. For Sylius versions prior to 1.5.7, update to version 1.5.7 or later. For Sylius versions prior to 1.6.3, update to version 1.6.3 or later. As a temporary workaround, override the src/Sylius/Bundle/UiBundle/Resources/views/Security/ login.html.twig file and replace lines with the provided code to prevent exception details from being displayed to the user.