SCA: security update for sylius/sylius (GHSA-rpxh-vg2x-526v)

medium Tenable Cloud Security Plugin ID 418860

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and
1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed
orders were exposed to unauthorized users. If exploited properly, a few additional information like the
number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be
crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few
details about shop condition to the third parties. The data possible to aggregate are the number of
processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and
1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the
problematic endpoints behind the firewall from not logged in users. This would put only the order list
under the firewall and allow only authorized users to access it. Once a user is authorized, it will have
access to theirs orders only. The second possible solution is to decorate the
`\Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension` and throw
`Symfony\Component\Security\Core\Exception\AccessDeniedException` if the class is executed for
unauthorized user. (CVE-2021-32720)

See Also

https://github.com/advisories/GHSA-rpxh-vg2x-526v

Plugin Details

Severity: Medium

ID: 418860

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32720

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/29/2021

Vulnerability Publication Date: 6/28/2021

Reference Information

CVE: CVE-2021-32720

cwe: CWE-200