Rokorolov

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 **Description** The POST `/api/v2/shop/orders/{tokenValue}/items` endpoint in Sylius does not verify cart ownership. This allows an unauthenticated attacker to add items to other registered customers' carts if they know the `tokenValue`. An attacker obtaining a `tokenValue` can add arbitrary items to another customer’s cart. The endpoint returns the full cart representation in the response (HTTP 201). **Recommendations** Update to Sylius version 2.0.16 or later. Update to Sylius version 2.1.12 or later. Update to Sylius version 2.2.3 or later.