Lucene search
GoogleOSV:GHSA-M2JR-HMC3-QMPRHistoryNov 13, 2020 - 5:18 p.m.
Authorization bypass in Spree
2020-11-1317:18:22
Google
osv.dev
3
0.002 Low
EPSS
Percentile
55.4%
Impact
The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token
Patches
Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
References
Pull request with a fix and in-depth explanation - https://github.com/spree/spree/pull/10573
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
References
github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
github.com/spree/spree
github.com/spree/spree/pull/10573
github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
nvd.nist.gov/vuln/detail/CVE-2020-26223
rubygems.org/gems/spree_api/versions
Related
cve
cve
CVE-2020-26223
2020-11-13 18:15:12
prion
prion
Authorization
2020-11-13 18:15:00
github
github
Authorization bypass in Spree
2020-11-13 17:18:22
nvd
nvd
CVE-2020-26223
2020-11-13 18:15:12
veracode
veracode
Authorization Bypass
2020-11-16 03:02:19
cvelist
cvelist
CVE-2020-26223 Authorization bypass in Spree
2020-11-13 17:25:20
osv
osv
CVE-2020-26223
2020-11-13 18:15:12