Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. sylius/sylius
  4. ›
  5. CVE-2021-32720

CVE-2021-32720: Information Exposure

June 28, 2021 (updated July 2, 2021)

Sylius is an Open Source eCommerce platform on top of Symfony. An issue was found in Sylius, where part of the details (order ID, order number, items total, and token value) of all placed orders are exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the \Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension and throw Symfony\Component\Security\Core\Exception\AccessDeniedException if the class is executed for unauthorized user.

References

  • nvd.nist.gov/vuln/detail/CVE-2021-32720

Code Behaviors & Features

Detect and mitigate CVE-2021-32720 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.9.0 before 1.9.5

Fixed versions

  • 1.9.5

Solution

Upgrade to version 1.9.5 or above.

Impact 5.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Source file

packagist/sylius/sylius/CVE-2021-32720.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:06 +0000.