Publish GHSA-55rf-8q29-4g43

advisory-database[bot] · advisory-database[bot] · commit 8e1891bfff54 · 2026-03-09T15:56:12.000Z
diff --git a/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json b/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-55rf-8q29-4g43",
-  "modified": "2024-07-17T19:13:34Z",
+  "modified": "2026-03-09T15:54:21Z",
   "published": "2024-07-17T14:32:18Z",
   "aliases": [
     "CVE-2024-40633"
   ],
   "summary": "Sylius has a security vulnerability via adjustments API endpoint",
-  "details": "### Impact\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. \n\n### Patches\nThe issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status.\n\n### Workarounds\n\nUsing YAML configuration:\n\nCreate `config/api_platform/Adjustment.yaml` file:\n\n```yaml\n# config/api_platform/Adjustment.yaml\n\n'%sylius.model.adjustment.class%':\n    itemOperations:\n        shop_get:\n            controller: ApiPlatform\\Core\\Action\\NotFoundAction\n            read: false\n            output: false\n```\n\nOr using XML configuration:\n\nCopy the original configuration from vendor:\n\n```bash\ncp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform\n```\n\nAnd change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file:\n\n```xml\n<!-- config/api_platform/Adjustment.xml -->\n\n...\n<itemOperation name=\"shop_get\">\n    <attribute name=\"method\">GET</attribute>\n    <attribute name=\"path\">/shop/adjustments/{id}</attribute>\n    <attribute name=\"controller\">ApiPlatform\\Core\\Action\\NotFoundAction</attribute>\n    <attribute name=\"read\">false</attribute>\n    <attribute name=\"output\">false</attribute>\n</itemOperation>\n...\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n- Email us at [security@sylius.com](mailto:security@sylius.com)\n",
+  "details": "### Impact\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.\n\n### Patches\nThe issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above.\nThe `/api/v2/shop/adjustments/{id}` will always return `404` status.\n\n### Workarounds\n\nUsing YAML configuration:\n\nCreate `config/api_platform/Adjustment.yaml` file:\n\n```yaml\n# config/api_platform/Adjustment.yaml\n\n'%sylius.model.adjustment.class%':\n    itemOperations:\n        shop_get:\n            controller: ApiPlatform\\Core\\Action\\NotFoundAction\n            read: false\n            output: false\n```\n\nOr using XML configuration:\n\n> Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version.\n\nCopy the original configuration from vendor:\n\n```bash\n# create directory if it doesn't exist\nmkdir -p config/api_platform\n\ncp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform\n```\n\nAnd change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file:\n\n```xml\n<!-- config/api_platform/Adjustment.xml -->\n\n...\n<itemOperation name=\"shop_get\">\n    <attribute name=\"method\">GET</attribute>\n    <attribute name=\"path\">/shop/adjustments/{id}</attribute>\n    <attribute name=\"controller\">ApiPlatform\\Core\\Action\\NotFoundAction</attribute>\n    <attribute name=\"read\">false</attribute>\n    <attribute name=\"output\">false</attribute>\n</itemOperation>\n...\n```\n\nUpdate your API platform paths config if needed so the new configuration file is loaded:\n\n```yaml\n# config/packages/api_platform.yaml\napi_platform:\n    mapping:\n        paths:\n          - '%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources'\n          ...\n          - '%kernel.project_dir%/config/api_platform'\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -29,7 +29,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "1.12.0-alpha.1"
             },
             {
               "fixed": "1.12.19"
@@ -56,6 +56,69 @@
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "sylius/sylius"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.9.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "sylius/sylius"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.10.0-alpha.1"
+            },
+            {
+              "fixed": "1.10.16"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.10.15"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "sylius/sylius"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.11.0-alpha.1"
+            },
+            {
+              "fixed": "1.11.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.11.16"
+      }
     }
   ],
   "references": [
