CVE-2020-15146

Name of the Vulnerable Software and Affected Versions SyliusResourceBundle versions prior to 1.3.14 SyliusResourceBundle versions 1.4.0 through 1.4.6 SyliusResourceBundle versions 1.5.0 through 1.5.1 SyliusResourceBundle versions 1.6.0 through 1.6.3

Description The issue arises from request parameters not being sanitized properly when injected inside an expression evaluated by the symfony/expression-language package. This allows an attacker to access any public service by manipulating the request parameter, potentially leading to Remote Code Execution.

In a specific example, visiting a route with a specially crafted id parameter, such as /route?id="~service('doctrine').getManager().getConnection().executeQuery('DELETE * FROM TABLE')~", can result in the execution of a query on the currently connected database.

To identify this issue in an application, look for routing definitions that use request parameters inside the expression language.

Recommendations For SyliusResourceBundle versions prior to 1.3.14, update to version 1.3.14 or later. For SyliusResourceBundle versions 1.4.0 through 1.4.6, update to version 1.4.7 or later. For SyliusResourceBundle versions 1.5.0 through 1.5.1, update to version 1.5.2 or later. For SyliusResourceBundle versions 1.6.0 through 1.6.3, update to version 1.6.4 or later. As a temporary workaround, consider adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.