HIGH🇬🇧 English

CVE-2026-25757

CVSS 7.7v4.0pub. 2026-02-06upd. 2026-02-23

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Spreecommerce Spree

    APP
    Spreecommerce
    < 5.0.85.1.0 – 5.1.10 (bez)5.2.0 – 5.2.7 (bez)5.3.0 – 5.3.2 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2011-10026CRITICAL9.3PL ✓ten sam produkt

RCE via command injection w API wyszukiwania Spreecommerce Spree

CVE-2011-10019CRITICAL10.0PL ✓ten sam produkt

RCE w Spreecommerce Spree — brak sanitizacji parametru wyszukiwania

CVE-2026-25758HIGH7.7ten sam produkt

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in ...

CVE-2026-22589HIGH7.5ten sam produkt

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, ...

CVE-2020-26223HIGH7.7ten sam produkt

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and be...

CVE-2026-25757 — HIGH 7.7 | CVEbaza.pl