CNNVD-202602-926 Information
CNNVD ID
CNNVD-202602-926
Related CVE
- CNNVD Published: 2026-02-06
Description (Chinese)
Spree是个人开发者的一款采用Ruby on Rails开发的开源商城。 Spree 5.0.8之前版本、5.1.10之前版本、5.2.7之前版本和5.3.2之前版本存在安全漏洞,该漏洞源于未经验证的用户可以查看已完成的访客订单,可能导致访客用户的个人信息泄露。
Description (English)
Spree is an individual developer that uses the open-source mall developed by Ruby on Railways. Pre-Spree 5.0.8, pre-51.10, pre-5.2.7 and pre-5.3.2 security gaps arise from uncertified users ’ access to completed visitor orders, which may result in the disclosure of visitors ’ personal information.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2026-02-06
Last Modified
2026-02-24
References
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 https://access.redhat.com/security/cve/cve-2026-25757
Patch
https://github.com/spree/spree/releases
Share on: