All versions prior to 1.6.9, versions between 1.7.0 to 1.7.8, and versions 1.8.0, 1.8.1, and 1.8.2 have this vulnerability.
Another way to check whether your application contains known vulnerabilities is to use the Symfony binary. Run `symfony check:security` to scan your application.
Read more here.
The user may register in a shop by email email@example.com, verify it, change it to the mail firstname.lastname@example.org and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one).
Patch has been provided for Sylius 1.6.x and newer – 1.6.9, 1.7.9, 1.8.3. Versions older than 1.6 are not covered by our security support anymore.
If for whatever reason you are not able to upgrade your application version, you may resolve this issue on your own by creating a custom event listener, which will listen to the `sylius.customer.pre_update` event. You can determine that email has been changed if customer email and user username are different. They are synchronized later on. Pay attention, to email changing behavior for administrators. You may need to skip this logic for them. In order to achieve this, you should either check master request path info, if it does not contain `/admin` prefix or adjust event triggered during customer update in the shop. You can find more information on how to customize the event here.
This security issue has been reported by Mircea Silviu (@decemvre), thanks a lot!