CVE-2020-15269

Published October 20th, 2020

View on NVD ↗

CVSS v3

7.4

HIGH

CVSS v2

6.4

MEDIUM

Affected

PROJECT

Description

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

spree/spree

Open Source eCommerce Platform for B2B, Marketplace, and Enterprise. REST API, TypeScript SDK, and production-ready Next.js storefront. Self-host it. Own your stack. No vendor lock-in. Zero platform fees.

GitHub

15.5K