{"id":"CVE-2022-31000","summary":"CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend","details":"solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.","aliases":["GHSA-8639-qx56-r428"],"modified":"2026-04-10T04:47:43.364406Z","published":"2022-06-01T17:25:11Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31000.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-352"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31000.json"},{"type":"ADVISORY","url":"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31000"},{"type":"FIX","url":"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/solidusio/solidus","events":[{"introduced":"0"},{"fixed":"04180e6f14eb47d9ae5d009ddf4b1a4edf8f32e7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.16"}]}},{"type":"GIT","repo":"https://github.com/solidusio/solidus","events":[{"introduced":"a731a1a7bede0b7cd012551c27ebdd74e08c022a"},{"fixed":"5a500c2fd9885047165ada08a8d339a68cb83fe4"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.0.6"}]}},{"type":"GIT","repo":"https://github.com/solidusio/solidus","events":[{"introduced":"1e06d430ba17c8ac092ddb00f23b38eb5c062b80"},{"fixed":"5ae2db37a4dd7a1f2779854826bc512b9391aae1"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"fixed":"3.1.6"}]}}],"versions":["v1.0.0.pre","v1.0.0.pre2","v1.0.0.pre3","v1.1.0.beta1","v1.1.0.pre2","v2.0.0.beta1","v2.10.0.beta1","v2.11.0","v2.11.1","v2.11.10","v2.11.11","v2.11.12","v2.11.13","v2.11.14","v2.11.15","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.11.9","v2.7.0","v2.9.0.rc.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31000.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}]}