A security vulnerability was discovered in the /api/v2/shop/adjustments/{id}
endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id}
will always return 404
status.
Using YAML configuration:
Create config/api_platform/Adjustment.yaml
file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Copy the original configuration from vendor:
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get
operation in copied config/api_platform/Adjustment.xml
file:
<!-- config/api_platform/Adjustment.xml -->
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
If you have any questions or comments about this advisory: