Low severityNVD Advisory· Published Jun 1, 2022· Updated Apr 22, 2025

CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

CVE-2022-31000

Description

solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
solidus_backendRubyGems	< 2.11.16	2.11.16
solidus_backendRubyGems	>= 3.0.0, < 3.0.6	3.0.6
solidus_backendRubyGems	>= 3.1.0, < 3.1.6	3.1.6

Affected products

Solidusio/Solidusv5
Range: < 2.11.16

Patches

de796a2e0be7

Merge pull request from GHSA-8639-qx56-r428

https://github.com/solidusio/solidusMarc BusquéJun 1, 2022via ghsa

commit

3 files changed · +43 −5

backend/app/views/spree/admin/adjustments/_adjustments_table.html.erb+2 −2 modified

@@ -13,12 +13,12 @@
     <tr data-hook="adjustment_buttons">
       <td class="align-right" colspan="2" style="width: 50%">
         <% if can? :update, Spree::Adjustment %>
-          <%= button_to t('spree.unfinalize_all_adjustments'), adjustments_unfinalize_admin_order_path(@order), method: :get %>
+          <%= button_to t('spree.unfinalize_all_adjustments'), adjustments_unfinalize_admin_order_path(@order), method: :put %>
         <% end %>
       </td>
       <td colspan="2" style="width: 50%">
         <% if can? :update, Spree::Adjustment %>
-          <%= button_to t('spree.finalize_all_adjustments'), adjustments_finalize_admin_order_path(@order), method: :get %>
+          <%= button_to t('spree.finalize_all_adjustments'), adjustments_finalize_admin_order_path(@order), method: :put %>
         <% end %>
       </td>
       <td class='actions'>&nbsp;</td>

backend/config/routes.rb+3 −3 modified

@@ -77,8 +77,8 @@
         get :confirm
         put :complete
         post :resend
-        get "/adjustments/unfinalize", to: "orders#unfinalize_adjustments"
-        get "/adjustments/finalize", to: "orders#finalize_adjustments"
+        put "/adjustments/unfinalize", to: "orders#unfinalize_adjustments"
+        put "/adjustments/finalize", to: "orders#finalize_adjustments"
         put :approve
         put :cancel
         put :resume
@@ -91,7 +91,7 @@
         end
       end
 
-      resources :adjustments
+      resources :adjustments, except: [:show]
       resources :return_authorizations do
         member do
           put :fire

backend/spec/features/admin/orders/adjustments_spec.rb+38 −0 modified

@@ -111,6 +111,44 @@
       end
     end
 
+    context "admin bulk editing adjustments" do
+      it "allows finalizing all the adjustments" do
+        order.all_adjustments.each(&:unfinalize!)
+
+        click_button "Finalize All Adjustments"
+
+        expect(order.reload.adjustments.all?(&:finalized?)).to be(true)
+      end
+
+      it "allows unfinalizing all the adjustments" do
+        order.all_adjustments.each(&:finalize!)
+
+        click_button "Unfinalize All Adjustments"
+
+        expect(order.reload.adjustments.any?(&:finalized?)).to be(false)
+      end
+
+      it "can't finalize via a GET request" do
+        order.all_adjustments.each(&:unfinalize!)
+
+        expect {
+          visit "/admin/orders/#{order.number}/adjustments/finalize"
+        }.to raise_error(ActionController::RoutingError)
+
+        expect(order.reload.adjustments.any?(&:finalized?)).to be(false)
+      end
+
+      it "can't unfinalize via a GET request" do
+        order.all_adjustments.each(&:finalize!)
+
+        expect {
+          visit "/admin/orders/#{order.number}/adjustments/unfinalize"
+        }.to raise_error(ActionController::RoutingError)
+
+        expect(order.reload.adjustments.all?(&:finalized?)).to be(true)
+      end
+    end
+
     context "deleting an adjustment" do
       context 'when the adjustment is finalized' do
         let!(:adjustment) { super().tap(&:finalize!) }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8639-qx56-r428ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31000ghsaADVISORY
github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_backend/CVE-2022-31000.ymlghsaWEB
github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716cghsax_refsource_MISCWEB
github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000