In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spree | Sparksolutions | * | 3.7.11 (excluding) |
| Spree | Sparksolutions | 4.0.0 (including) | 4.0.4 (excluding) |
| Spree | Sparksolutions | 4.1.0 (including) | 4.1.11 (excluding) |