CVE-2021-32720 – List of order ids, number, items total and token value exposed for unauthorized uses via new API
https://notcve.org/view.php?id=CVE-2021-32720
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. • https://github.com/Sylius/Sylius/releases/tag/v1.9.5 https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •