CNNVD-202602-928 Information
CNNVD ID
CNNVD-202602-928
Related CVE
- CNNVD Published: 2026-02-06
Description (Chinese)
Spree是个人开发者的一款采用Ruby on Rails开发的开源商城。 Spree 4.10.3之前版本、5.0.8之前版本、5.1.10之前版本、5.2.7之前版本和5.3.2之前版本存在安全漏洞,该漏洞源于访客结账流程中存在不安全的直接对象引用,可能导致未经授权访问其他访客的个人信息。
Description (English)
Spree is an individual developer that uses the open-source mall developed by Ruby on Railways. Pre-Spree 4.10.3, pre-5.0.8, pre-51.10, pre-5.2.7 and pre-5.3.2 security gaps, which stem from the presence of unsafe direct-object references in the visitor’s closing process, may result in unauthorized access to other visitors’ personal information.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2026-02-06
Last Modified
2026-02-24
References
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8 https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748 https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054 https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 https://access.redhat.com/security/cve/cve-2026-25758
Patch
https://github.com/spree/spree/releases
Share on: