Search for packages
| purl | pkg:gem/spree@4.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-yqz2-9hru-wkcs
Aliases: CVE-2020-26223 GHSA-m2jr-hmc3-qmpr |
Authorization bypass in Spree ### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-cwh1-mmky-ukcx | Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. |
CVE-2020-15269
GHSA-f8cm-364f-q9qh |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-05T21:15:23.402140+00:00 | GHSA Importer | Fixing | VCID-cwh1-mmky-ukcx | https://github.com/advisories/GHSA-f8cm-364f-q9qh | 38.6.0 |
| 2026-06-04T20:41:04.149590+00:00 | GitLab Importer | Affected by | VCID-yqz2-9hru-wkcs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2020-26223.yml | 38.6.0 |
| 2026-06-04T17:21:20.762095+00:00 | GithubOSV Importer | Fixing | VCID-cwh1-mmky-ukcx | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-f8cm-364f-q9qh/GHSA-f8cm-364f-q9qh.json | 38.6.0 |
| 2026-06-04T16:20:33.374449+00:00 | GitLab Importer | Fixing | VCID-cwh1-mmky-ukcx | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2020-15269.yml | 38.6.0 |