Authentication Bypass Affecting spree package, versions >=3.7.0, <3.7.11 >=4.0.0, <4.0.4 >=4.1.0, <4.1.11
Do your applications use this vulnerable package?
21 Oct 2020
20 Oct 2020
How to fix?
spree to version 3.7.11, 4.0.4, 4.1.11 or higher.
Affected versions of this package are vulnerable to Authentication Bypass. The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints.