Spree Unauthenticated Insecure Direct Object Reference Vulnerability in Guest Address Management

A vulnerability allowing unauthenticated access to guest address information has been identified in Spree, an open-source e-commerce platform built with Ruby on Rails. This issue affects Spree versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5. The vulnerability arises from a faulty authorization check that allows guest users to view and edit addresses of other guests by manipulating address identifiers. The issue has been addressed in the mentioned patched versions.

Impact

Exploitation of this vulnerability allows unauthorized users to access and modify guest address information, including personally identifiable details such as names, physical addresses, and phone numbers. This could result in privacy violations, regulatory compliance issues, and a loss of user trust.

Reproduction

To reproduce this vulnerability, send a GET request to the addresses edit endpoint without authentication or session cookies, including an address ID belonging to another guest user. The response will contain the requested address information, demonstrating the insecure direct object reference.

Remediation

Users can upgrade to Spree versions 4.10.2, 5.0.7, 5.1.9, or 5.2.5 to address this vulnerability.