Vulnerability: Expired User Tokens Grant Access to Storefront API v2 Endpoints

Vulnerability: Expired User Tokens Grant Access to Storefront API v2 Endpoints

CVE-2020-15269 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

Learn more about our Api Penetration Testing.