CVE-2020-15269

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

Published: Oct 20, 2020
Updated: May 9, 2024
CVE: CVE-2020-15269
GHSA: GHSA-f8cm-364f-q9qh
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-287
CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
sparksolutions / spree	4.1.0	4.1.11
sparksolutions / spree	4.0.0	4.0.4
sparksolutions / spree	-	3.7.11
spree	-	3.7.11
spree	4.0.0	4.0.4
spree	4.1.0	4.1.11

https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh

Vulnerability Database

CVE-2020-15269

Deep Security Visibility Without the Complexity