Improper access control in Sylius - CVE-2021-32720
Published: June 28, 2021 / Updated: April 27, 2026
Vulnerability identifier: #VU128210
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32720
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Sylius
Sylius
Software vendor:
Sylius
Sylius
Description
The vulnerability allows a remote attacker to disclose order information.
The vulnerability exists due to improper access control in the new API orders endpoint when handling unauthenticated requests for order listings. A remote attacker can send a crafted request to disclose order information.
Exposed data includes order identifiers, order numbers, item totals, and token values, and may also include the number of items in the cart and shipping date details.
Remediation
Install security update from vendor's website.