CVE-2019-16768

low-risk

Published 2019-12-05

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.5/10 Low

NETWORK / LOW complexity

Affected Products (1)

Sylius

Affected Vendors

Sylius

References (4)

Release Notes https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f

Mitigation https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h

Release Notes https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f

Mitigation https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal