2 matches found
GHSA-WJMG-4CQ5-M8HG Sylius is Missing Authorization in API v2 Add Item Endpoint
Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...
GHSA-2XC6-348P-C2X6 Sylius affected by IDOR in Cart and Checkout LiveComponents
Impact An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that...