Description
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
Patch, Third Party Advisory x_refsource_misc
https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
Scores
CVSS v3
7.4
EPSS
0.0026
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-613
CWE-287
Status
published
Products (2)
rubygems/spree
0 - 3.7.11RubyGems
sparksolutions/spree
< 3.7.11
Published
Oct 20, 2020
Tracked Since
Feb 18, 2026