3 matches found
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588
Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...
CVE-2023-0865
The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to...