Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-26223
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Authorization bypass in Spree
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Spree 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Spree是个人开发者的一款采用Ruby on Rails开发的开源商城。 Spree 3.7版本至3.7.13版本, 4.0.5版本, 4.1.12版本存在安全漏洞,该漏洞源于存在一个授权绕过漏洞。攻击者可利用该漏洞使用一个作为订单令牌传递的空字符串查询API v2订单状态端点。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
spreespree >= 3.7.0, < 3.7.13 -
II. Public POCs for CVE-2020-26223
#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2020-26223
Please Login to view more intelligence information
New Vulnerabilities
Product: spree
Vendor: spree
Same weakness: CWE-863
V. Comments for CVE-2020-26223

No comments yet

Leave a comment