Описание
Sylius has a security vulnerability via adjustments API endpoint
Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
Or using XML configuration:
Copy the original configuration from vendor:
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
Пакеты
sylius/sylius
< 1.12.19
1.12.19
sylius/sylius
>= 1.13.0-alpha.1, < 1.13.4
1.13.4
Связанные уязвимости
Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.