Impact A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details – sensitive guest customer information. Patches The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status. Workarounds Using YAML configuration: Create config/api_platform/Adjustment.yaml file: “`yaml config/api_platform/Adjustment.yaml '%sylius.model.adjustment.class%': itemOperations: shop_get: controller: ApiPlatformCoreActionNotFoundAction read: false output: false “` Or using XML configuration: Copy the original configuration from vendor: bash cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform And change the shop_get operation in copied config/api_platform/Adjustment.xml file: “`xml … GET /shop/adjustments/{id} ApiPlatformCoreActionNotFoundAction false false … “` For more information If you have any questions or comments about this advisory: Open an issue in Sylius issues Email us at…Read More