Home > Vulnerability Database > CVE-2024-40633

Mend.io Vulnerability Database

CVE-2024-40633

Good to know:

Date: July 17, 2024

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.

Language: PHP

Severity Score

5.3

Related Resources (5)

Url: https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464

Url: https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43

Url: https://github.com/Sylius/Sylius

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-40633

Url: https://www.mend.io/vulnerability-database/CVE-2024-40633

Severity Score

5.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

Upgrade Version

Upgrade to version sylius/sylius-v1.12.19,v1.13.4

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-40633

Good to know:

Date: July 17, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?