VYPR
Medium severity5.3OSV Advisory· Published Jul 17, 2024· Updated Jun 17, 2026

CVE-2024-40633

CVE-2024-40633

Description

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sylius/syliusPackagist
>= 1.12.0-alpha.1, < 1.12.191.12.19
sylius/syliusPackagist
>= 1.13.0-alpha.1, < 1.13.41.13.4
sylius/syliusPackagist
< 1.9.121.9.12
sylius/syliusPackagist
>= 1.10.0-alpha.1, < 1.10.161.10.16
sylius/syliusPackagist
>= 1.11.0-alpha.1, < 1.11.171.11.17

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.