CVE-2020-26223

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26223

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26223.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26223

Aliases

GHSA-m2jr-hmc3-qmpr

Published

2020-11-13T18:15:12Z

Modified

2024-06-06T13:13:00.012065Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type: GIT
Repo: https://github.com/spree/spree
Events: Introduced

76e95978fa06e81ffc8abd947f83109a5958eb5f

Fixed

9054299644fe97eb803df7cfc753cb747197fd14

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4