CVE-2019-16768

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

## Internal exception message exposure for login action ### Impact Exception messages from internal exceptions (like database exception) are wrapped by `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` file should be overridden and lines https://github.com/Sylius/Sylius/blob/1.4/src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig#L13-L17 should be replaced with ```twig {% if last_error %} <div class="ui left aligned basic segment"> {{ messages.error(last_error.messageKey) }} </div> {% endif %} ``` The `messageKey` field should be used instead of the `message`.

## Internal exception message exposure for login action ### Impact Exception messages from internal exceptions (like database exception) are wrapped by `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` file should be overridden and lines https://github.com/Sylius/Sylius/blob/1.4/src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig#L13-L17 should be replaced with ```twig {% if last_error %} <div class="ui left aligned basic segment"> {{ messages.error(last_error.messageKey) }} </div> {% endif %} ``` The `messageKey` field should be used instead of the `message`.

Unos mensajes de excepción de las excepciones internas (como la excepción de la base de datos) están empaquetados por \Symfony\Component\Security\Core\Exception\AuthenticationServiceException y se propagan por medio del sistema a la Interfaz de Usuario. Por lo tanto, algo de la información interna del sistema puede filtrarse y ser visible para el cliente. Un mensaje de comprobación con los detalles de la excepción será presentado al usuario cuando uno intentase iniciar sesión en la tienda.