CVE-2023-27568

Name of the Vulnerable Software and Affected Versions Spryker Commerce OS version 0.9

Description The issue allows for access to sensitive data via the customer/order?orderSearchForm[searchText]= API endpoint, specifically through the searchText variable. This is a SQL injection vulnerability, which means an attacker can inject malicious SQL code to manipulate the database. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For Spryker Commerce OS version 0.9, as a temporary workaround, consider restricting access to the customer/order API endpoint or sanitizing the searchText variable to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.