CVE-2020-15143

Name of the Vulnerable Software and Affected Versions SyliusResourceBundle versions prior to 1.3.14 SyliusResourceBundle versions 1.4.0 through 1.4.6 SyliusResourceBundle versions 1.5.0 through 1.5.1 SyliusResourceBundle versions 1.6.0 through 1.6.3

Description The issue arises from request parameters not being sanitized properly when injected inside an expression evaluated by the symfony/expression-language package. This allows an attacker to access any public service by manipulating the request parameter, potentially leading to Remote Code Execution.

For example, in a routing definition like "foo: path: /foo/{id}", the $id parameter can be manipulated to call other services. Visiting a URL like /foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~" can result in the execution of a query on the currently connected database.

Recommendations For SyliusResourceBundle versions prior to 1.3.14, update to version 1.3.14 or later. For SyliusResourceBundle versions 1.4.0 through 1.4.6, update to version 1.4.7 or later. For SyliusResourceBundle versions 1.5.0 through 1.5.1, update to version 1.5.2 or later. For SyliusResourceBundle versions 1.6.0 through 1.6.3, update to version 1.6.4 or later. As a temporary workaround, consider adding addslashes in ParametersParser::parseRequestValueExpression to sanitize user input before evaluating it using the expression language.