Spree
CVE-2020-15269
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
AnalysisAI
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Technical ContextAI
This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory. Affected products include: Sparksolutions Spree.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.
Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthentic
Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct obj
Spree is a complete open source e-commerce solution built with Ruby on Rails. Rated medium severity (CVSS 6.5), this vul
Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assign
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today