Sylius v1.4.11 Release Notes
Release Date: 2019-12-05 // over 4 years ago-
๐ป CVE-2019-16768: Internal exception message exposure in login action.
Details:
๐ป Exception messages from internal exceptions (like database exception) are wrapped by
๐\Symfony\Component\Security\Core\Exception\AuthenticationServiceException
and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.๐ฒ A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
๐ This release patches the reported vulnerability. The
src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and{{ messages.error(last_error.message) }}
changed to{{ messages.error(last_error.messageKey) }}
.