CVE-2020-15269

Summary

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

Affected Software

VendorProductVersion RangeStatus
spreespree< 3.7.11affected
spreespree>= 4.0.0, < 4.0.4affected
spreespree>= 4.1.0, < 4.1.11affected

Weaknesses

  • CWE-287: {"CWE-287":"Improper Authentication"}
  • CWE-613: {"CWE-613":"Insufficient Session Expiration"}

ADP Enrichment

CVE Program Container

Additional References

References