CVE-2020-15269
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| spree | spree | < 3.7.11 | affected |
| spree | spree | >= 4.0.0, < 4.0.4 | affected |
| spree | spree | >= 4.1.0, < 4.1.11 | affected |
Weaknesses
- CWE-287: {"CWE-287":"Improper Authentication"}
- CWE-613: {"CWE-613":"Insufficient Session Expiration"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
- https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
References
- https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
- https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.