CVE-2020-26223

Published 20 days ago
Category: Authentication
Source: GitHub
Severity: Severe

Vulnerability in spree_api

Impact

The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 3.7.11 ~> 4.0.4 >= 4.1.11

Unaffected Versions

< 3.7.0

References

n/a