GHSA-G268-72P7-9J6J Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...

EUVD-2020-1427

Malware in sbrugna...

Diavante vue-storefront-api and storefront-api disclose stack trace

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

GHSA-9WXJ-37P8-49FF Diavante vue-storefront-api and storefront-api disclose stack trace

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

Shopify: Bypass a fix for report #708013

Summary: customerAccessTokenCreate mutation in the Storefront API does not correctly throttle login attempts. An issue in similar report https://hackerone.com/reports/708013 was already fixed, however, there is still a bypass. Steps To Reproduce: 1. Grab a Storefront API Token I got it from the B...

Spree Authorization Issues Vulnerability

Spree is a personal developer of an open source mall developed using Ruby on Rails. An authorization issue vulnerability exists in Spree version 3.7.11, version 4.0.4, and versions prior to 4.1.11, which stems from an expired user token that can be used to access the storefront API v2 endpoint. A...

Token Validation Bypass

spreeapi is vulnerable to token validation bypass. Failure to check for the expiry of the doorkeepertoken allows an attacker to access Storefront API v2 endpoints using expired user tokens...

CVE-2020-15269

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory...

Code injection

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory...

CVE-2020-15269 Expired token reuse in Spree

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory...

GHSA-F8CM-364F-Q9QH Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Workarounds In your project directory create a decorator file...

CVE-2020-11883

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

CVE-2020-11883

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

Code injection

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

CVE-2020-11883

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names...

CVE-2020-11883

The CVE-2020-11883 entry concerns Divante Vue Storefront API (Divante vue-storefront-api up to v1.11.1) and storefront-api (up to v1.0-rc.1) used in VueStorefront PWA. The issue is an information-disclosure/stack-trace exposure: unexpected HTTP requests trigger an exception that reveals internal ...

Shopify: StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts

It seems that the service used for login purposes could be brute forced. the system fails when the password is incorrect, after some unsuccessful attempts the following message is shown: "data":"customerAccessTokenCreate":null,"errors":"message":"Login attempt limit exceeded. Please try again...