CVE-2020-15245: In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@...

Description

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

0.62%

45.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Sylius	Sylius	< 1.6.9
Sylius	Sylius	>= 1.7.0, < 1.7.9
Sylius	Sylius	>= 1.8.0, < 1.8.3

References

https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecafPatch, Third Party Advisory
https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499Mitigation, Third Party Advisory
https://github.com/Sylius/Sylius/commit/60636d711a4011e8694d10d201b53632c7e8ecafPatch, Third Party Advisory
https://github.com/Sylius/Sylius/security/advisories/GHSA-6gw4-x63h-5499Mitigation, Third Party Advisory

Timeline

Published: Oct 19, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15245?

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius 1.6.9, 1.7.9 and 1.8.3. As a workaround, you may resolve this issue on your own by creating a custom event listener, which will listen to the sylius.customer.pre_update event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain /admin prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.

How severe is CVE-2020-15245?

CVE-2020-15245 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.62% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15245?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.