CVE-2020-26223

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26223

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26223.json

Aliases

GHSA-m2jr-hmc3-qmpr

Published

2020-11-13T18:15:12Z

Modified

2023-11-29T08:18:50.193945Z

Details

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type: GIT
Repo: https://github.com/spree/spree
Events: Introduced

59a68df9cf3435f249062bbac201bc98d2467b94

Introduced

76e95978fa06e81ffc8abd947f83109a5958eb5f

Fixed

9054299644fe97eb803df7cfc753cb747197fd14

Introduced

5555b0417c749a72fa485301068fb149fae09cfb

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4