CVE-2020-5218

CVE-2020-5218 is a medium-severity vulnerability in Sylius with a CVSS 3.x base score of 4.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-444.

Key facts

Description

Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Frequently asked questions

What is CVE-2020-5218?
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
How severe is CVE-2020-5218?
CVE-2020-5218 has a CVSS 3.x base score of 4.4, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2020-5218 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (44th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-5218?
CVE-2020-5218 primarily affects Sylius. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2020-5218?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2020-5218 published?
CVE-2020-5218 was published on 2020-01-27 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Sylius

All CVEs affecting Sylius →

Other CWE-444 (HTTP Request/Response Smuggling) vulnerabilities

Browse all CWE-444 (HTTP Request/Response Smuggling) vulnerabilities →