Spree Authorization Bypass Vulnerability in Orders Controller Allowing PII Disclosure

A vulnerability in the Spree e-commerce platform's OrdersController allows unauthenticated users to access completed guest orders using only the Order ID, without needing the associated order token. This oversight can lead to the unauthorized disclosure of personal identifiable information (PII) of guest users, including names, addresses, and phone numbers. The vulnerability exists in Spree versions prior to 5.0.8, 5.1.0, 5.2.7, and 5.3.2.

Impact

Exploitation of this vulnerability could result in unauthorized access to guest order details, including sensitive personal information such as names, addresses, and phone numbers.

Reproduction

To reproduce this vulnerability, create a completed guest order on a vulnerable version of Spree. After the order is placed, retrieve the Order ID from the database. Then, access the OrdersController's show action by navigating to the URL endpoint that includes the Order ID. This will bypass the token requirement and disclose the full order details, including personal information.

Remediation

Users can upgrade to Spree versions 5.0.8, 5.1.10, 5.2.7, or 5.3.2 to address this vulnerability.