Lucene search
K

14 matches found

OSV
OSV
added 2026/02/06 9:29 p.m.8 views

CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

8.7CVSS5.6AI score0.00599EPSS
Exploits1References12
Snyk
Snyk
added 2026/01/10 4:57 a.m.1 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key over the /addresses/addressId/edit endpoint, allowing the exposure of guest addresses. An attacker can retrieve address information belonging to guest users by sending requests for other...

8.7CVSS6.6AI score0.00383EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/10 4:57 a.m.1 views

Authorization Bypass Through User-Controlled Key

Overview spreestorefront is a modern fully featured storefront and checkout for Spree Commerce Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key over the /addresses/addressId/edit endpoint, allowing the exposure of guest addresses. An attacker ca...

8.7CVSS6.6AI score0.00383EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/01/10 3:17 a.m.2 views

CVE-2026-22589 Spree API has Unauthenticated IDOR - Guest Address

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

7.5CVSS6.4AI score0.00383EPSS
Exploits1References5
OSV
OSV
added 2026/01/10 3:17 a.m.6 views

CVE-2026-22589 Spree API has Unauthenticated IDOR - Guest Address

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

7.5CVSS6.4AI score0.00383EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/01/10 3:17 a.m.22 views

CVE-2026-22589 Spree API has Unauthenticated IDOR - Guest Address

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

7.5CVSS0.00383EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.6 views

PT-2026-2215

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Unauthenticated Insecure Direct Objec...

7.5CVSS6.5AI score0.00383EPSS
Exploits1References14
Github Security Blog
Github Security Blog
added 2026/01/08 9:28 p.m.8 views

Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

7.5CVSS6.9AI score0.00383EPSS
Exploits1References8Affected Software1
RubySec
RubySec
added 2026/01/08 12:0 a.m.8 views

Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

7.5CVSS6.7AI score0.00383EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2025/12/24 12:9 p.m.16 views

CVE-2025-68743

The CVE-2025-68743 entry concerns the Linux kernel: the mshv memory-region creation check was incorrect and could mis-handle regions that start before and end after existing regions. The fix replaces the flawed beginning/end overlap checks with a proper range intersection check against gfns and u...

6.1AI score0.00155EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2025/07/19 11:21 p.m.2 views

SUSE CVE-2025-38351

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALLFLUSHVIRTUALADDRESSLIST and HVCALLFLUSHVIRTUALADDRESSLISTEX allow a guest to request...

5.5CVSS6.3AI score0.00157EPSS
Exploits0References23
OSV
OSV
added 2025/07/19 12:15 p.m.2 views

UBUNTU-CVE-2025-38351

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALLFLUSHVIRTUALADDRESSLIST and HVCALLFLUSHVIRTUALADDRESSLISTEX allow a guest to request...

5.5CVSS6AI score0.00157EPSS
Exploits0References27
Positive Technologies
Positive Technologies
added 2025/06/25 12:0 a.m.5 views

PT-2025-30134

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw in the KVM component related to handling hypercalls HVCALL FLUSH VIRTUAL ADDRESS LIST and HVCALL FLUSH VIRTUAL ADDRESS LIST EX within KVM guests utilizin...

6.8CVSS6.4AI score0.00157EPSS
Exploits0
Cvelist
Cvelist
added 2021/08/27 6:21 p.m.32 views

CVE-2021-28699

inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can b...

6.6AI score0.00353EPSS
Exploits0References6
Rows per page
Query Builder