CVE-2024-40633

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.12.19 Sylius versions prior to 1.13.4

Description A security issue was discovered in the "/api/v2/shop/adjustments/{id}" endpoint, which retrieves order adjustments based on incremental integer IDs. The issue allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details, including sensitive guest customer information.

Recommendations For Sylius versions prior to 1.12.19, upgrade to version 1.12.19 or above. For Sylius versions prior to 1.13.4, upgrade to version 1.13.4 or above. As a temporary workaround for users unable to upgrade, alter the configuration to mitigate this issue by creating a "config/api platform/Adjustment.yaml" file with the specified settings or by modifying the "config/api platform/Adjustment.xml" file to change the "shop get" operation.