CVE-2020-15245

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.6.9 Sylius versions prior to 1.7.9 Sylius versions prior to 1.8.3

Description The issue allows a user to register in a shop by email, verify it, change it to a different email, and stay verified and enabled. This may lead to having accounts addressed to totally different emails that were verified. Note that this does not allow taking over any existing account.

Recommendations For Sylius versions prior to 1.6.9, update to version 1.6.9 or newer. For Sylius versions prior to 1.7.9, update to version 1.7.9 or newer. For Sylius versions prior to 1.8.3, update to version 1.8.3 or newer. As a temporary workaround for versions that cannot be updated, create a custom event listener that listens to the sylius.customer.pre update event to determine if the email has been changed by checking if the customer email and user username are different, and adjust the logic accordingly, considering the email changing behavior for administrators.