CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
This vulnerability allows a malicious customer to craft request data with
parameters that allow changing the address of the current order without
changing the shipment costs associated with the new shipment.
All stores with at least two shipping zones and different costs of shipment
per zone are impacted.
E.g.
The attacker user can know that shipping to NY is less expensive than to LA
just by testing different addresses in checkout.
// POST #checkout/update:
{
state: 'payment',
order: {
ship_address_attributes: {
city: 'Los Angeles',
...
}
}
}
Another scenario where this could be dangerous is:
> You cannot ship products in some zones and you are relying on Solidus
> Shipping Method building only to filter out unwanted zones. Malicious
> users can enter an allowed zone’s address and change back to an unwanted
> one in the payment step by crafting a request with some proper
> ship_address_attributes.
This problem comes from how checkout permitted attributes are structured.
We have a single list of attributes that are permitted across the whole
checkout, no matter the step that is being submitted.
When it’s not possible to upgrade to a supported patched version, please
use this gist to patch the store:
https://gist.github.com/kennyadsl/4618cd9797984cb64f7700a81bda889d
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | solidus_frontend | * | cpe:2.3:a:ruby:solidus_frontend:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N