{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T09:07:43.746","vulnerabilities":[{"cve":{"id":"CVE-2020-26223","sourceIdentifier":"security-advisories@github.com","published":"2020-11-13T18:15:12.777","lastModified":"2024-11-21T05:19:34.637","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected."},{"lang":"es","value":"Spree es una completa solución e-commerce de código abierto construida con Ruby on Rails.&#xa0;En Spree desde la versión 3.7 y versiones anteriores a 3.7.13, 4.0.5 y 4.1.12, se presenta una vulnerabilidad de omisión de autorización.&#xa0;El perpetrador podría consultar el endpoint API v2 Order Status con una cadena vacía pasada como un token de pedido.&#xa0;Esto está parcheado en versiones 3.7.11, 4.0.4 o 4.1.11 dependiendo de la versión de Spree usada.&#xa0;Los usuarios de Spree versiones anteriores a 3.7 no están afectados"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7.0","versionEndExcluding":"3.7.13","matchCriteriaId":"4F0DFB4E-3D62-4C6C-A227-3B839055F34C"},{"vulnerable":true,"criteria":"cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.0.5","matchCriteriaId":"B10057D2-194D-4019-A8F3-9A64E3BAFE70"},{"vulnerable":true,"criteria":"cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.1.12","matchCriteriaId":"95279953-3BEB-454E-8C60-F4E00602849B"}]}]}],"references":[{"url":"https://github.com/spree/spree/pull/10573","source":"security-advisories@github.com","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/spree/spree/pull/10573","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}