CVE-2020-15109

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15109
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15109.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15109
Aliases
Published
2020-08-04T23:15:10Z
Modified
2024-05-30T02:25:21.193640Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section.

References

Affected packages

Git / github.com/solidusio/solidus

Affected ranges

Type
GIT
Repo
https://github.com/solidusio/solidus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.0.0.pre
v1.0.0.pre2
v1.0.0.pre3
v1.1.0.beta1
v1.1.0.pre2

v2.*

v2.0.0.beta1
v2.7.0
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5