Lucene search

K
cve[email protected]CVE-2021-32720
HistoryJun 28, 2021 - 7:15 p.m.

CVE-2021-32720

2021-06-2819:15:11
CWE-200
web.nvd.nist.gov
61
2
sylius
ecommerce
symfony
cve-2021-32720
security
vulnerability
patch
authorization
data exposure
access control

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.9%

Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the \Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension and throw Symfony\Component\Security\Core\Exception\AccessDeniedException if the class is executed for unauthorized user.

Affected configurations

Vulners
NVD
Node
syliussyliusRange1.9.0–1.9.5
OR
syliussyliusRange1.10.0-ALPHA.1–1.10.0-BETA.1
VendorProductVersionCPE
syliussylius*cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
syliussylius*cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Sylius",
    "vendor": "Sylius",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.9.0, < 1.9.5"
      },
      {
        "status": "affected",
        "version": ">= 1.10.0-ALPHA.1, <= 1.10.0-BETA.1"
      }
    ]
  }
]

Social References

More

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.9%

Related for CVE-2021-32720