CVE-2020-15245
MEDIUMDescription
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email [email protected], verify it, change it to the mail [email protected] and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Exploit Intelligence
Moderate risk: more likely to be exploited than 45% of all known CVEs.
References
Related Vulnerabilities
Other CWE-79 (Cross-Site Scripting (XSS)) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2020-11022 | Medium | 6.9 | 99% | - | Fix |
| CVE-2019-3929 | Critical | 9.8 | 99% | KEV | Fix |
| CVE-2020-9496 | Medium | 6.1 | 99% | - | - |
| CVE-2023-28341 | Medium | 6.1 | 99% | - | Fix |
| CVE-2018-12998 | Medium | 6.1 | 98% | - | - |
| CVE-2025-4123 | High | 7.6 | 98% | - | Fix |
Embed a live status badge for CVE-2020-15245
Markdown
[](https://tridentstack.com/cve/CVE-2020-15245)HTML
<a href="https://tridentstack.com/cve/CVE-2020-15245"><img src="https://tridentstack.com/cve/badge/CVE-2020-15245.svg" alt="CVE-2020-15245"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.