Improper Input Validation

Affecting solidus_frontend gem, versions >=2.8.0, <2.8.6 || >=2.9.0, <2.9.6 || >=2.10.0, <2.10.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

solidus_frontend is a cart and storefront for the Solidus e-commerce project.

Affected versions of this package are vulnerable to Improper Input Validation. It allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted.

Remediation

Upgrade solidus_frontend to version 2.8.6, 2.9.6, 2.10.2 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Credit
Martin Meyerhoff, Alberto Vena
CVE
CVE-2020-15109
CWE
CWE-20
Snyk ID
SNYK-RUBY-SOLIDUSFRONTEND-597395
Disclosed
05 Aug, 2020
Published
05 Aug, 2020