CVE-2020-15109

Name of the Vulnerable Software and Affected Versions Solidus versions prior to 2.8.6 Solidus versions prior to 2.9.6 Solidus versions prior to 2.10.2

Description This issue allows a malicious customer to change the order address without triggering address validations, potentially altering shipment costs. All stores with at least two shipping zones and different costs of shipment per zone are impacted. The problem stems from the structure of checkout permitted attributes, which are applied across the whole checkout process.

Recommendations For versions prior to 2.8.6, update to version 2.8.6 or later. For versions prior to 2.9.6, update to version 2.9.6 or later. For versions prior to 2.10.2, update to version 2.10.2 or later. As a temporary workaround, if it is not possible to upgrade to a supported patched version, consider using the provided gist to patch the store. Restrict access to the ship address attributes parameter in the /checkout/update API endpoint to minimize the risk of exploitation. Avoid using the ship address attributes parameter in the affected API endpoint until the issue is resolved.