← back
CVE-2020-15269

Expired token reuse in Spree

CVSS 7.4 HIGHEPSS 1.1%CWE-287CWE-613
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
spree · spree

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh