Pamil

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.9.5 and 1.10.0-RC.1 **Description** The issue is related to the exposure of certain order details, including order ID, order number, items total, and token value, to unauthorized users. This information, while not personal, could be used for sociotechnical attacks or to expose details about the shop's condition to third parties. Additional information, such as the number of items in the cart and the shipping date, may also be accessible if the issue is exploited properly. **Recommendations** For Sylius versions prior to 1.9.5, update to version 1.9.5 or later. For Sylius versions prior to 1.10.0-RC.1, update to version 1.10.0-RC.1 or later. As a temporary workaround, consider hiding the problematic endpoints behind a firewall from non-logged-in users by adding the necessary configuration in `config/packages/security.yaml`. Alternatively, decorate the `SyliusBundleApiBundleDoctrineQueryCollectionExtensionOrdersByLoggedInUserExtension` and throw a `SymfonyComponentSecurityCoreExceptionAccessDeniedException` if the class is executed for an unauthorized user.

**Name of the Vulnerable Software and Affected Versions** Sylius ResourceBundle versions prior to 1.3.13 Sylius ResourceBundle versions 1.3.0 through 1.3.12 Sylius ResourceBundle versions 1.4.0 through 1.4.5 Sylius ResourceBundle versions 1.5.0 Sylius ResourceBundle versions 1.6.0 through 1.6.2 **Description** The issue arises from Sylius ResourceBundle accepting and using any serialisation groups passed via an HTTP header, potentially leading to data exposure by using an unintended serialisation group. For example, it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerability also involves the ability to switch channels via the ` channel code` GET parameter in production environments due to a configuration issue. **Recommendations** For Sylius ResourceBundle versions prior to 1.3.13, update to version 1.3.13 or newer. For Sylius ResourceBundle versions 1.3.0 through 1.3.12, update to version 1.3.13 or newer. For Sylius ResourceBundle versions 1.4.0 through 1.4.5, update to version 1.4.6 or newer. For Sylius ResourceBundle version 1.5.0, update to version 1.5.1 or newer. For Sylius ResourceBundle versions 1.6.0 through 1.6.2, update to version 1.6.3 or newer. As a temporary workaround for unsupported versions, consider adding the configuration `sylius channel: debug: false` to prevent the debug feature from being enabled. Service `sylius.resource controller.request configuration factory` can be overridden to prevent the use of custom serialisation groups via the HTTP header.

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 1.3.14 Sylius versions prior to 1.4.10 Sylius versions prior to 1.5.7 Sylius versions prior to 1.6.3 **Description** In affected versions of Sylius, exception messages from internal exceptions, such as database exceptions, are wrapped by `SymfonyComponentSecurityCoreExceptionAuthenticationServiceException` and propagated through the system to the UI. This may cause some internal system information to leak and be visible to the customer. A validation message with the exception details will be presented to the user when they try to log into the shop. **Recommendations** For Sylius versions prior to 1.3.14, update to version 1.3.14 or later. For Sylius versions prior to 1.4.10, update to version 1.4.10 or later. For Sylius versions prior to 1.5.7, update to version 1.5.7 or later. For Sylius versions prior to 1.6.3, update to version 1.6.3 or later. As a temporary workaround, override the `src/Sylius/Bundle/UiBundle/Resources/views/Security/ login.html.twig` file and replace lines with the provided code to prevent exception details from being displayed to the user.