7.7
CVE-2026-25757
- EPSS 0.02%
- Veröffentlicht 06.02.2026 22:37:07
- Zuletzt bearbeitet 23.02.2026 17:40:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSpree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Spreecommerce ≫ Spree Version < 5.0.8
Spreecommerce ≫ Spree Version >= 5.1.0 < 5.1.10
Spreecommerce ≫ Spree Version >= 5.2.0 < 5.2.7
Spreecommerce ≫ Spree Version >= 5.3.0 < 5.3.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.053 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 7.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.