Description
solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428
Patch, Third Party Advisory x_refsource_misc
https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c
Scores
CVSS v3
2.3
EPSS
0.0017
EPSS Percentile
37.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
nebulab/solidus
< 2.11.16
rubygems/solidus_backend
0 - 2.11.16RubyGems
Published
Jun 01, 2022
Tracked Since
Feb 18, 2026