CVE-2020-15109

Published: Aug 4, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section.

Vendor	Product	Versions
solidusio	solidus	affected `< 2.8.6` affected `>= 2.9.0, < 2.9.6` affected `>= 2.10.0, < 2.10.2`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/solidusio/solidus/security/advisories/GHSA-3mvg-rrrw-m7ph

x_refsource_CONFIRM

https://gist.github.com/kennyadsl/4618cd9797984cb64f7700a81bda889d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-15109

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References