6 matches found
CVE-2026-25757
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...
CVE-2026-25757
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...
CVE-2026-25757 Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...
PT-2026-6727
Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.3 Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 Description An IDOR vulnerability exists in Spree Commerce's guest checkout flow. This allo...
Spree 安全漏洞
Spree is an open source shopping mall using Ruby on Rails for individual developers. A security vulnerability exists in Spree versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5, which stems from an insecure direct object reference by an authenticated user that could lead to obtaining other users'...
Authentication Bypass
Overview Affected versions of this package are vulnerable to Authentication Bypass. The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. Remediation Upgrade spree to version 3.7.11, 4.0.4, 4.1.11 or higher. References - GitHub Commi...