CVE-2022-31000

Name of the Vulnerable Software and Affected Versions solidus backend versions prior to 3.1.6 solidus backend versions prior to 3.0.6 solidus backend versions prior to 2.11.16

Description The vulnerability is a cross-site request forgery (CSRF) issue that allows attackers to change the state of an order's adjustments if they hold its number. This execution occurs on a store administrator's computer.

Recommendations For solidus backend versions prior to 3.1.6, upgrade to version 3.1.6 to receive the patch. For solidus backend versions prior to 3.0.6, upgrade to version 3.0.6 to receive the patch. For solidus backend versions prior to 2.11.16, upgrade to version 2.11.16 to receive the patch. As a temporary workaround, consider restricting access to the /admin/orders/{order number}/adjustments/unfinalize and /admin/orders/{order number}/adjustments/finalize API endpoints until a patch is available.