Main Vulnerability Database SB2021062820

SB2021062820 - Improper access control in Sylius

Published: June 28, 2021 Updated: April 27, 2026

Security Bulletin ID SB2021062820

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2021-32720)

The vulnerability allows a remote attacker to disclose order information.

The vulnerability exists due to improper access control in the new API orders endpoint when handling unauthenticated requests for order listings. A remote attacker can send a crafted request to disclose order information.

Exposed data includes order identifiers, order numbers, item totals, and token values, and may also include the number of items in the cart and shipping date details.

Remediation

Install update from vendor's website.

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v
https://github.com/advisories/GHSA-rpxh-vg2x-526v