CVE-2020-26223

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26223
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26223.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26223
Aliases
Published
2020-11-13T18:15:12Z
Modified
2024-10-12T06:24:24.956088Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type
GIT
Repo
https://github.com/spree/spree
Events

Affected versions

v4.*

v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4