CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
9.3%
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id}
endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id}
will always return 404
status.
Using YAML configuration:
Create config/api_platform/Adjustment.yaml
file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Copy the original configuration from vendor:
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get
operation in copied config/api_platform/Adjustment.xml
file:
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
If you have any questions or comments about this advisory:
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
9.3%