CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-mr9r-h354-966r: Sylius: IDOR on Shop Payment Request API endpoints

mediumCVE-2026-53639
Impact The GET /api/v2/shop/payment-requests/{hash} and PUT /api/v2/shop/payment-requests/{hash} endpoints look up the payment request solely by the hash from the URL. No ownership check is performed against the authenticated customer or the underlying order. An attacker who obtains a payment request hash can: - read the payment request and, through the payment IRI in the response, recover the underlying order's tokenValue (which itself grants access to the full order, items, addresses, customer email, totals); - update the payment request payload (e.g. target_path, after_path). These fields are used by the front-end controller to redirect the user after the payment, so an attacker can flip them to an attacker-controlled URL and intercept the buyer. The hash is a UUID, so it has to be obtained out-of-band (logs, shared links, referrer headers, a co-located client), but once it is known no other credential is required, neither authentication nor knowledge of the order token. The creation endpoint POST /api/v2/shop/orders/{tokenValue}/payment-requests shares the same flaw: it resolves the target order solely from the tokenValue in the URL without verifying that the caller owns the order. Patches The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6. Workarounds Until you can upgrade, apply the following workaround. It enforces ownership on the existing endpoints, so that: - an authenticated shop user may only access payment requests of their own orders; - an anonymous caller may only access payment requests of guest orders (the order's customer has no associated user account); - everyone else receives 404 Not Found. Step 1. Add a query extension that filters the GET operation Create file src/ApiPlatform/QueryExtension/PaymentRequestOwnershipExtension.php: <?php declare(strict_types=1); namespace App\ApiPlatform\QueryExtension; use ApiPlatform\Doctrine\Orm\Extension\QueryItemExtensionInterface; use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-mr9r-h354-966r

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53639coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories