Home

CVE-2020-26223

Description

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.267

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api 3.7.13Windows
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api 4.0.5Windows
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api 4.1.12Windows
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api for Linux 3.7.13Linux
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api for Linux 4.0.5Linux
Vulnerabilities CVE-2020-26223 are fixed in Ruby-spree_api for Linux 4.1.12Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234