3 matches found
Sylius is Missing Authorization in API v2 Add Item Endpoint
Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...
PT-2026-21433
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat id parameters to add-item.php to execu...