Miggo Logo

CVE-2019-16768: Internal exception message exposure for login action in Sylius

3.5

CVSS Score
3.1

Basic Information

EPSS Score
0.56663%
Published
12/5/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sylius/syliuscomposer< 1.3.141.3.14
sylius/syliuscomposer>= 1.4.0, < 1.4.101.4.10
sylius/syliuscomposer>= 1.5.0, < 1.5.71.5.7
sylius/syliuscomposer>= 1.6.0, < 1.6.31.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Twig template (_login.html.twig) using last_error.message to display error messages. The 'message' property contains raw internal exceptions (e.g., database errors), while 'messageKey' provides a localized/safe identifier. The patch explicitly replaces last_error.message with last_error.messageKey in the template, confirming this as the root cause. No specific PHP functions are directly implicated; the exposure occurs at the template layer due to improper error message handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Int*rn*l *x**ption m*ss*** *xposur* *or lo*in **tion ### Imp**t *x**ption m*ss***s *rom int*rn*l *x**ptions (lik* **t***s* *x**ption) *r* wr*pp** *y `\Sym*ony\*ompon*nt\S**urity\*or*\*x**ption\*ut**nti**tionS*rvi***x**ption` *n* prop***t** t*rou*

Reasoning

T** vuln*r**ility st*ms *rom t** Twi* t*mpl*t* (_lo*in.*tml.twi*) usin* l*st_*rror.m*ss*** to *ispl*y *rror m*ss***s. T** 'm*ss***' prop*rty *ont*ins r*w int*rn*l *x**ptions (*.*., **t***s* *rrors), w*il* 'm*ss***K*y' provi**s * lo**liz**/s*** i**nti