VulnerableCode Package Details - pkg:gem/solidus

Search for packages

Vulnerability	Summary	Fixed by
VCID-gwmf-crvu-tbdd Aliases: CVE-2020-15109 GHSA-3mvg-rrrw-m7ph	Ability to change order address without triggering address validations in solidus	2.8.6 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.9.6 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.10.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qss2-pgck-eybx Aliases: CVE-2021-43846 GHSA-h3fg-h5v3-vf8m	CSRF forgery protection bypass in solidus_frontend	2.11.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.0.rc2 Affected by 0 other vulnerabilities. 3.0.5 Affected by 0 other vulnerabilities. 3.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s3ju-k74e-1fbh Aliases: CVE-2022-31000 GHSA-8639-qx56-r428	solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.	2.11.16 Affected by 0 other vulnerabilities. 3.0.0.rc2 Affected by 0 other vulnerabilities. 3.0.5 Affected by 0 other vulnerabilities. 3.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gwmf-crvu-tbdd
Aliases:
CVE-2020-15109
GHSA-3mvg-rrrw-m7ph

Ability to change order address without triggering address validations in solidus

2.8.6
Affected by 3 other vulnerabilities.

2.9.6
Affected by 3 other vulnerabilities.

2.10.2
Affected by 3 other vulnerabilities.

VCID-qss2-pgck-eybx
Aliases:
CVE-2021-43846
GHSA-h3fg-h5v3-vf8m

CSRF forgery protection bypass in solidus_frontend

2.11.14
Affected by 1 other vulnerability.

3.0.0.rc2
Affected by 0 other vulnerabilities.

3.0.5
Affected by 0 other vulnerabilities.

3.1.5
Affected by 1 other vulnerability.

VCID-s3ju-k74e-1fbh
Aliases:
CVE-2022-31000
GHSA-8639-qx56-r428

solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.

2.11.16
Affected by 0 other vulnerabilities.

3.0.0.rc2
Affected by 0 other vulnerabilities.

3.0.5
Affected by 0 other vulnerabilities.

3.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:20:50.259231+00:00	Ruby Importer	Affected by	VCID-gwmf-crvu-tbdd	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_api/CVE-2020-15109.yml	38.6.0
2026-06-12T18:25:00.616085+00:00	GitLab Importer	Affected by	VCID-s3ju-k74e-1fbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_api/CVE-2022-31000.yml	38.6.0
2026-06-12T17:54:34.467291+00:00	GitLab Importer	Affected by	VCID-qss2-pgck-eybx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_api/CVE-2021-43846.yml	38.6.0
2026-06-12T17:23:37.629823+00:00	GitLab Importer	Affected by	VCID-gwmf-crvu-tbdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_api/CVE-2020-15109.yml	38.6.0