0.002 Low
EPSS
Percentile
55.4%
spree is vulnerable to authorization bypass. An attacker is able to bypass authorization checks by passing an empty string as the token and successfully query the API for any completed order.
github.com/advisories/GHSA-m2jr-hmc3-qmpr
github.com/spree/spree/pull/10573
github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
guides.spreecommerce.org/api/v2/storefront#tag/Order-Status