Sylius Cart Vulnerability Allows Unauthenticated Item Addition to Customer Carts

A vulnerability in Sylius versions 2.0.0 prior to 2.0.16, 2.1.0 prior to 2.1.12, and 2.2.0 prior to 2.2.3 allows unauthenticated attackers to add items to the carts of registered customers. This issue arises because the POST /api/v2/shop/orders/{tokenValue}/items endpoint fails to verify cart ownership. An attacker who knows a customer's cart tokenValue can add arbitrary items to that cart. The endpoint then returns the full cart representation, including sensitive information such as the customer's email address, cart contents, address data, payment and shipment IDs, order totals, tax breakdown, and checkout state.

Impact

Exploitation of this vulnerability allows for unauthorized modification of customer shopping carts, potentially leading to unauthorized purchases or changes in order details.

Remediation

Users can update to Sylius versions 2.0.16, 2.1.12, or 2.2.3 and above to address this vulnerability. Additionally, for those who cannot immediately upgrade, a workaround involves adding an ownership check in the AddItemToCartHandler by injecting UserContextInterface and verifying that the current user matches the cart owner before items are added.