NEW VERSION Sylius 2 is officially here. Check the release!
https://sylius.com/blog/technical/security-blog-post-1-12-19-and-1-13-4/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
https://sylius.com/pl/
pl
by Grzegorz Sadowski
< 1 min. read
Categories: Technical
Security blog post – 1.12.19 and 1.13.4

We got you covered, as long as you have your application up-to-date.

Although perfection is unattainable, our commitment to excellence remains unwavering. Announcing security updates is not something any technology favors, yet every software comes with its weaknesses and vulnerabilities. We take every security issue seriously and are dedicated to providing the best protection for our users. Today, we release important security fixes for Sylius versions 1.12 and 1.13.

Sylius 1.12 and above

CVE-2024-40633: Ability to retrieve Adjustments with an incremental integer ID in an API endpoint

The original security advisory has been published on GitHub at Sylius/Sylius repository.

Is my store affected by this vulnerability?

This issue is present in all Sylius versions before 1.12.19 and 1.13.4. This only affects the base API endpoints provided by Sylius.

Impact

A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details – sensitive guest customer information.

Patches

The issue is fixed in versions: 1.12.19, 1.13.4 and above.

Workarounds

Using YAML configuration:

Create config/api_platform/Adjustment.yaml file:

gist.github.com/GSadee/891c0c616846e2820f2f66bb1f829e0b#file-adjustment-yaml

Or using XML configuration:

Copy the original configuration from vendor:

gist.github.com/GSadee/891c0c616846e2820f2f66bb1f829e0b#file-bash-sh

And change the shop_get operation in copied config/api_platform/Adjustment.xml file:

gist.github.com/GSadee/891c0c616846e2820f2f66bb1f829e0b#file-adjustment-xml

Tags:
Share:
Grzegorz Sadowski
Grzegorz is primarily one of Sylius most experienced software developers and also our Scrum Master. As he’s got a knack for detail in numbers, he is also keeping an eye on our financial and legal operations. Privately he’s a Madridista since childhood. He’d literally enjoy driving any car on earth. He’s already planned to buy an electric Audi for his tiny daughter.
more articles
More from our blog
Cloud < 1 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Technical < 1 min read 11.06.2024
Abstract 1.12 released in Q4 2022 1.13 on Apr 23rd, 2024 (a year later than we anticipated while releasing 1.12) 3859 commits 23 contributors A stabilized Sylius API powered by API Platform It’s been a long and bumpy road. Having it behind our backs was a highway that led Sylius… Read More
Business Ecosystem News < 1 min read 06.06.2024
Welcome to the May summary! As an open-source eCommerce framework, Sylius continues to evolve with significant contributions from our vibrant community and valuable product updates. Apart from describing the technical changes, we will also quickly summarize the Sylius Technical Fundamentals & Sylius Polish Community Meetup and eCommerce Day Kaunas, as… Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in