7 matches found
EUVD-2026-10915
Sylius is Missing Authorization in API v2 Add Item Endpoint...
EUVD-2026-10914
Sylius is Missing Authorization in API v2 Add Item Endpoint...
Missing Authorization
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Missing Authorization via the POST /api/v2/shop/orders/tokenValue/items endpoint. An attacker can gain unauthorized access to and manipulate another user's shopping cart b...
GHSA-WJMG-4CQ5-M8HG Sylius is Missing Authorization in API v2 Add Item Endpoint
Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...
CVE-2026-31821
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...