{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.076Z", "datePublished": "2026-03-10T21:22:37.052Z", "dateUpdated": "2026-03-11T15:59:53.833Z"}, "containers": {"cna": {"title": "Sylius affected by IDOR in Cart and Checkout LiveComponents", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6"}], "affected": [{"vendor": "Sylius", "product": "Sylius", "versions": [{"version": ">= 2.2.0, < 2.2.3", "status": "affected"}, {"version": ">= 2.1.0, < 2.1.12", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:22:37.052Z"}, "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}], "source": {"advisory": "GHSA-2xc6-348p-c2x6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:52:01.058912Z", "id": "CVE-2026-31820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:59:53.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Sylius affected by IDOR in Cart and Checkout LiveComponents", "source": {"advisory": "GHSA-2xc6-348p-c2x6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Sylius", "product": "Sylius", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.2.3"}, {"status": "affected", "version": ">= 2.1.0, < 2.1.12"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.16"}]}], "references": [{"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6", "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:22:37.052Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:52:01.058912Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T15:52:02.588Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-31820", "state": "PUBLISHED", "dateUpdated": "2026-03-10T21:22:37.052Z", "dateReserved": "2026-03-09T17:41:56.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T21:22:37.052Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA9449ED-A73A-4D16-A464-DBCBE24CA6A6", "versionEndExcluding": "2.0.16", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "F45888BF-720D-4B78-BA7D-ED7E5E091A8C", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A2540B0-56B9-4B15-9876-BE908A80BB0A", "versionEndExcluding": "2.2.3", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above."}, {"lang": "es", "value": "Sylius es un Framework de eCommerce de C\u00f3digo Abierto en Symfony. Una vulnerabilidad de Referencia Directa a Objeto Insegura (IDOR) autenticada existe en m\u00faltiples LiveComponents de la tienda debido a IDs de recursos no validados aceptados a trav\u00e9s de par\u00e1metros #[LiveArg]. A diferencia de las props, que est\u00e1n protegidas por el @checksum de LiveComponent, los args est\u00e1n completamente controlados por el usuario - cualquier acci\u00f3n que acepte un ID de recurso a trav\u00e9s de #[LiveArg] y lo cargue con -&gt;find() sin validaci\u00f3n de propiedad es vulnerable. FormComponent de direcci\u00f3n de pago (acci\u00f3n addressFieldUpdated): Acepta un addressId a trav\u00e9s de #[LiveArg] y lo carga sin verificar la propiedad, exponiendo el nombre, apellido, empresa, n\u00famero de tel\u00e9fono, calle, ciudad, c\u00f3digo postal y pa\u00eds de otro usuario. WidgetComponent de carrito (acci\u00f3n refreshCart): Acepta un cartId a trav\u00e9s de #[LiveArg] y carga cualquier pedido directamente desde el repositorio, exponiendo el total del pedido y el recuento de art\u00edculos. SummaryComponent de carrito (acci\u00f3n refreshCart): Acepta un cartId a trav\u00e9s de #[LiveArg] y carga cualquier pedido directamente desde el repositorio, exponiendo el subtotal, descuento, costo de env\u00edo, impuestos (excluidos e incluidos) y el total del pedido. Dado que sylius_order contiene tanto carritos activos (state=cart) como pedidos completados (state=new/fulfilled) en el mismo espacio de ID, el IDOR del carrito expone datos de todos los pedidos, no solo de los carritos activos. El problema est\u00e1 solucionado en las versiones: 2.0.16, 2.1.12, 2.2.3 y superiores."}], "id": "CVE-2026-31820", "lastModified": "2026-03-11T19:34:28.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T22:16:19.493", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.2.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sylius", "source": "cna", "vendor": "Sylius"}, "product": "sylius", "vendor": "sylius"}], "analysis": {"en": {"generated_at": "2026-04-16T03:12:12.637231+00:00", "value": {"mitigation_remediation": ["Upgrade Sylius to at least version 2.0.16, 2.1.12, or 2.2.3 (the latest patch level) to apply the IDOR fix.", "If an upgrade is not yet possible, restrict the use of the affected LiveComponents (or the LiveArg interface) to trusted accounts only, or remove the LiveArg\u2011based endpoints from public access.", "Ensure that any future code changes introducing LiveComponent arguments perform explicit ownership validation before loading an entity from the repository."], "summary": {"action": "Patch", "impact": "Sensitive customer data disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the Sylius eCommerce framework. Versions prior to 2.0.16, 2.1.12, and 2.2.3 are impacted. The bug resides in multiple LiveComponents such as Checkout address FormComponent, Cart widget, and Cart summary. All installations using a vulnerable Sylius release and enabling those components should treat this flaw as high risk.", "description_and_impact": "This vulnerability is an Insecure Direct Object Reference within Sylius's LiveComponent mapping. Authenticated users can supply arbitrary resource identifiers through #[LiveArg] parameters. The framework then loads the corresponding entity with ->find() without checking that the resource belongs to the requesting user. As a result, a malicious user can discover personal information\u2014including first name, last name, company, phone number, street, city, postcode, and country\u2014from other customers\u2019 addresses, and can also read order totals, item counts, discounts, shipping costs, and tax details for any cart or completed order. The flaw originates from the lack of ownership validation for resource IDs, a classic CWE\u2011639 scenario.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that exploitation in the wild is currently unlikely; the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the weakness can be exploited by any authenticated user who can control LiveComponent arguments\u2014most likely through the UI\u2014by supplying arbitrary record identifiers. The attacker does not need elevated privileges; merely accessing the site with a user account suffices."}}}}, "created": "2026-03-11T11:39:23.994875+00:00", "updated": "2026-04-16T03:15:22.949162+00:00", "vendors": ["sylius", "sylius$PRODUCT$sylius"]}