CVE-2020-15109

MEDIUM

Solidus <2.8.6, 2.9.6, 2.10.2 - Info Disclosure

Title source: llm

Description

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/solidusio/solidus/security/advisories/GHSA-3mvg-rrrw-m7ph

Patch, Third Party Advisory x_refsource_misc

https://gist.github.com/kennyadsl/4618cd9797984cb64f7700a81bda889d

Scores

CVSS v3 5.3

EPSS 0.0021

EPSS Percentile 42.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-862 CWE-20

Status published

Products (3)

nebulab/solidus < 2.8.6

rubygems/solidus_api 0 - 2.8.6RubyGems

rubygems/solidus_frontend 0 - 2.8.6RubyGems

Published Aug 04, 2020

Tracked Since Feb 18, 2026