CVE-2020-15269

EPSS 0.26%
Veröffentlicht 20.10.2020 21:15:12
Zuletzt bearbeitet 21.11.2024 05:05:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sparksolutions ≫ Spree Version < 3.7.11

Sparksolutions ≫ Spree Version >= 4.0.0 < 4.0.4

Sparksolutions ≫ Spree Version >= 4.1.0 < 4.1.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.462

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
security-advisories@github.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847

Patch

Third Party Advisory

https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-15269

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15269

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15269

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-15269