CVE-2021-32720

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.5 and 1.10.0-RC.1

Description The issue is related to the exposure of certain order details, including order ID, order number, items total, and token value, to unauthorized users. This information, while not personal, could be used for sociotechnical attacks or to expose details about the shop's condition to third parties. Additional information, such as the number of items in the cart and the shipping date, may also be accessible if the issue is exploited properly.

Recommendations For Sylius versions prior to 1.9.5, update to version 1.9.5 or later. For Sylius versions prior to 1.10.0-RC.1, update to version 1.10.0-RC.1 or later. As a temporary workaround, consider hiding the problematic endpoints behind a firewall from non-logged-in users by adding the necessary configuration in config/packages/security.yaml. Alternatively, decorate the SyliusBundleApiBundleDoctrineQueryCollectionExtensionOrdersByLoggedInUserExtension and throw a SymfonyComponentSecurityCoreExceptionAccessDeniedException if the class is executed for an unauthorized user.