CVE-2022-31000 CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

2022-06-0117:25:11

CWE-352

GitHub_M

www.cve.org

cve-2022-31000

csrf

solidus_backend

upgrade

version fix

order adjustments

CVSS3

2.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

30.5%

JSON

solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order’s adjustments if they hold its number, and the execution happens on a store administrator’s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.

CNA Affected

[
  {
    "product": "solidus",
    "vendor": "solidusio",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.11.16"
      },
      {
        "status": "affected",
        "version": ">= 3.0.0, < 3.0.6"
      },
      {
        "status": "affected",
        "version": ">= 3.1.0, < 3.1.6"
      }
    ]
  }
]