Is CVE-2020-15146 actively exploited?

CVE-2020-15146 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2020-15146?

CVE-2020-15146 has a CVSS score of 9.6 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N.

How do I patch CVE-2020-15146?

Patch guidance is available from sylius security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2020-15146.

Fix CVE-2020-15146 - CRITICAL sylius syliusresourcebundle

Q: Which products are affected by CVE-2020-15146?

4 products: sylius syliusresourcebundle, sylius syliusresourcebundle, sylius syliusresourcebundle, sylius syliusresourcebundle.

Description

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none
Weaknesses: CWE-74 CWE-917

Metadata

Primary Vendor: SYLIUS
Published: 8/20/2020
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

sylius : syliusresourcebundlesylius : syliusresourcebundlesylius : syliusresourcebundlesylius : syliusresourcebundle

Remediation Guidance

Executive Summary

View on NIST NVD