Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentGitHub_MVULNRICHMENT:CVE-2024-40633
HistoryJul 17, 2024 - 5:51 p.m.

CVE-2024-40633 Customer data leak via adjustments API endpoint in Sylius

2024-07-1717:51:45
CWE-200
GitHub_M
github.com
8
sylius
ecommerce
symfony
security vulnerability
api endpoint
customer data leak
order tokens
guest customer information
vulnerability fix
upgrade
ghsa

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

0

Percentile

9.3%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.

CNA Affected

[
  {
    "vendor": "Sylius",
    "product": "Sylius",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.12.19"
      },
      {
        "status": "affected",
        "version": ">= 1.13.0, < 1.13.4"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*"
    ],
    "vendor": "sylius",
    "product": "sylius",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.12.19",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.12",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.13.4",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Related

osv 1
veracode 1
nvd 1
cvelist 1
cve 1
github 1
osv
osv
Sylius has a security vulnerability via adjustments API endpoint
2024-07-17 14:32:18
veracode
veracode
Information Disclosure
2024-07-18 08:45:45
nvd
nvd
CVE-2024-40633
2024-07-17 18:15:04
cvelist
cvelist
CVE-2024-40633 Customer data leak via adjustments API endpoint in Sylius
2024-07-17 17:51:45
cve
cve
CVE-2024-40633
2024-07-17 18:15:04
github
github
Sylius has a security vulnerability via adjustments API endpoint
2024-07-17 14:32:18

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

0

Percentile

9.3%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON
Related for VULNRICHMENT:CVE-2024-40633
osv1veracode1nvd1cvelist1cve1github1