CNNVD-202601-1389 Information
CNNVD ID
CNNVD-202601-1389
Related CVE
- CNNVD Published: 2026-01-08
Description (Chinese)
Spree是个人开发者的一款采用Ruby on Rails开发的开源商城。 Spree 4.10.2之前版本、5.0.7之前版本、5.1.9之前版本和5.2.5之前版本存在安全漏洞,该漏洞源于认证用户可进行不安全的直接对象引用,可能导致获取其他用户地址信息。
Description (English)
Spree is an individual developer that uses the open-source mall developed by Ruby on Railways. Pre-Spree 4.10.2, pre-5.0.7, pre-5.1.9 and pre-5.2.5 have a security loophole, which stems from the fact that a certified user can use unsafe direct object references and may lead to access to other user addresses.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2026-01-08
Last Modified
2026-02-24
References
https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72 https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7 https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3 https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8 https://access.redhat.com/security/cve/cve-2026-22588