solidus does not perform proper validation. The vulnerability exists as it was possible to change the address of the current order without changing the shipment cost through a crafted request data with parameters.
gist.github.com/kennyadsl/4618cd9797984cb64f7700a81bda889d
github.com/advisories/GHSA-3mvg-rrrw-m7ph
github.com/solidusio/solidus/compare/2ef07370703e6aa424295aa670de80cc547e8d03...8eceb9ce3a6294c1d8652dad36ef8de038f912b0
github.com/solidusio/solidus/compare/5c88af72473e2e6b898d671bfb3b62148562bbfa...67ab34bf89eeffd7cfaccbc4df9d840466e57eb1
github.com/solidusio/solidus/compare/a8cf0be932d647b8f3c6ae41e8839d833e76bb20...6ea24fea2a1fb90cb22857d9ee9cc33033559d70
github.com/solidusio/solidus/security/advisories/GHSA-3mvg-rrrw-m7ph