FKIE_CVE-2026-22588

Vulnerability from fkie_nvd - Published: 2026-01-08 21:15 - Updated: 2026-02-02 16:14
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
References
security-advisories@github.comhttps://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72Patch
security-advisories@github.comhttps://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3Patch
security-advisories@github.comhttps://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8Patch
security-advisories@github.comhttps://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7Patch
security-advisories@github.comhttps://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6jExploit, Vendor Advisory
Impacted products
Vendor Product Version
spreecommerce spree *
spreecommerce spree *
spreecommerce spree *
spreecommerce spree *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B265915C-3AA8-4B6C-9794-DA08F6359D31",
              "versionEndExcluding": "4.10.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6C152A8-FCA5-4420-A138-E09B27970EE4",
              "versionEndExcluding": "5.0.7",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "54EEC933-938E-404B-A87B-3771931D5E23",
              "versionEndExcluding": "5.1.9",
              "versionStartIncluding": "5.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C6D055D-A9A8-46E1-A16C-FE17B66E800B",
              "versionEndExcluding": "5.2.5",
              "versionStartIncluding": "5.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users\u2019 address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker\u2019s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5."
    },
    {
      "lang": "es",
      "value": "Spree es una soluci\u00f3n de comercio electr\u00f3nico de c\u00f3digo abierto construida con Ruby on Rails. Antes de las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5, se identific\u00f3 una vulnerabilidad de Referencia Directa Insegura a Objeto Autenticada (IDOR) que permite a un usuario autenticado recuperar la informaci\u00f3n de direcci\u00f3n de otros usuarios modificando un pedido existente. Al editar un pedido que poseen leg\u00edtimamente y manipular los identificadores de direcci\u00f3n en la solicitud, el servidor de backend acepta y procesa referencias a direcciones que pertenecen a otros usuarios, asociando posteriormente esas direcciones con el pedido del atacante y devolvi\u00e9ndolas en la respuesta. Este problema ha sido parcheado en las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5."
    }
  ],
  "id": "CVE-2026-22588",
  "lastModified": "2026-02-02T16:14:33.957",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T21:15:44.560",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.