Main Vulnerability Database SB2020102068

SB2020102068 - Improper Authorization in spree_api

Published: October 20, 2020 Updated: April 27, 2026

Security Bulletin ID SB2020102068

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authorization (CVE-ID: CVE-2020-15269)

The vulnerability allows a remote user to gain unauthorized access to Storefront API v2 endpoints.

The vulnerability exists due to improper access control in API v2 authentication when handling requests with an expired doorkeeper token. A remote user can present a previously obtained expired user token to gain unauthorized access to Storefront API v2 endpoints.

The issue affects authentication of requests to Storefront API v2 endpoints using old expired user tokens.

Remediation

Install update from vendor's website.

References

https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
https://github.com/advisories/GHSA-f8cm-364f-q9qh