{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T21:04:36.232","vulnerabilities":[{"cve":{"id":"CVE-2020-5220","sourceIdentifier":"security-advisories@github.com","published":"2020-01-27T21:15:11.430","lastModified":"2024-11-21T05:33:42.347","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3."},{"lang":"es","value":"Sylius ResourceBundle acepta y usa cualquier grupo de serialización para ser pasado por medio de un encabezado HTTP. Esto podría conllevar a una exposición de datos mediante el uso de un grupo de serialización no intencionado; por ejemplo, esto podría hacer que la API Shop use un grupo más permisivo desde la API Admin. Cualquier persona que exponga una API con el controlador de ResourceBundle está afectada. Las versiones vulnerables son: versiones anteriores a 1.3 || versiones desde 1.3.0 hasta 1.3.12, incluyéndolas || versiones desde 1.4.0  hasta 1.4.5, incluyéndolas || versiones desde 1.5.0 hasta 1.5.0, incluyéndolas || versiones desde 1.6.0 hasta 1.6.2, incluyéndolas. El parche es proporcionado para Sylius ResourceBundle versiones 1.3.13, 1.4.6, 1.5.1 y 1.6.3, pero no para las versiones por debajo de 1.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*","versionStartIncluding":"1.3.0","versionEndIncluding":"1.3.12","matchCriteriaId":"16C8DF29-A40B-43A1-B2AD-B81C6521B200"},{"vulnerable":true,"criteria":"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*","versionStartIncluding":"1.4.0","versionEndIncluding":"1.4.5","matchCriteriaId":"D8C80037-956E-4B8E-8634-7F48715D294A"},{"vulnerable":true,"criteria":"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*","versionStartIncluding":"1.6.0","versionEndIncluding":"1.6.2","matchCriteriaId":"87B53540-066D-44C5-BE9E-0F05A9FF331D"},{"vulnerable":true,"criteria":"cpe:2.3:a:sylius:syliusresourcebundle:1.5.0:*:*:*:*:*:*:*","matchCriteriaId":"A7897F8D-F10F-494D-A7E4-49AFDCC80D96"}]}]}],"references":[{"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}