Damianlegawiec

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 **Description** Spree is an open source e-commerce solution built with Ruby on Rails. An Authenticated Insecure Direct Object Reference (IDOR) issue exists that allows an authenticated user to access address information belonging to other users. This occurs by modifying an existing order and manipulating address identifiers within the request. The backend server incorrectly processes these references, associating addresses from other users with the attacker’s order and returning them in the response. The issue involves manipulating address identifiers in a request to access data from other users. **Recommendations** Update Spree to version 4.10.2 or later. Update Spree to version 5.0.7 or later. Update Spree to version 5.1.9 or later. Update Spree to version 5.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 **Description** Spree is an open source e-commerce solution built with Ruby on Rails. An unauthenticated Insecure Direct Object Reference (IDOR) issue exists, allowing an attacker to access guest address information without valid credentials or session cookies. The issue affects the Spree API. An IDOR occurs when an application provides direct access to objects based on user-supplied input. In this case, an attacker can manipulate the input to access data belonging to other users. The vulnerable component allows access to guest address information. **Recommendations** Update Spree to version 4.10.2 or later. Update Spree to version 5.0.7 or later. Update Spree to version 5.1.9 or later. Update Spree to version 5.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 3.7.11 Spree versions 3.7.11 through 3.7.12 are not affected, but versions prior to 3.7.11 are. However, considering the broader range, we can simplify to: Spree versions prior to 3.7.11 Spree versions 4.0.0 through 4.0.3 Spree versions 4.1.0 through 4.1.10 **Description** The issue concerns an authorization bypass vulnerability in Spree, a complete open source e-commerce solution built with Ruby on Rails. A perpetrator could query the "API v2 Order Status" endpoint with an empty string passed as an `Order token`. **Recommendations** For Spree versions prior to 3.7.11, upgrade to version 3.7.11. For Spree versions 4.0.0 through 4.0.3, upgrade to version 4.0.4. For Spree versions 4.1.0 through 4.1.10, upgrade to version 4.1.11.

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 3.7.11 Spree versions prior to 4.0.4 Spree versions prior to 4.1.11 **Description** The issue allows expired user tokens to be used for accessing Storefront API v2 endpoints. This could be exploited by a perpetrator who previously obtained an old expired user token. **Recommendations** For versions prior to 3.7.11, upgrade to version 3.7.11. For versions prior to 4.0.4, upgrade to version 4.0.4. For versions prior to 4.1.11, upgrade to version 4.1.11. As a temporary workaround without upgrading, create a decorator file `app/controllers/spree/api/v2/base controller decorator.rb` with the specified contents to override the `spree current user` method in `Spree::Api::V2::BaseController`.