7.7
CVE-2020-26223
- EPSS 1.11%
- Veröffentlicht 13.11.2020 18:15:12
- Zuletzt bearbeitet 21.11.2024 05:19:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAuthorization bypass in Spree
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Spreecommerce ≫ Spree Version >= 3.7.0 < 3.7.13
Spreecommerce ≫ Spree Version >= 4.0.0 < 4.0.5
Spreecommerce ≫ Spree Version >= 4.1.0 < 4.1.12
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.616 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| security-advisories@github.com | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/spree/spree/pull/10573
https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status