GHSA SYNC: 2 new advisories; 3 modified advisories (#989)

Author: jasnow

gems/phlex/GHSA-w67g-2h6v-vjgq.yml

@@ -60,4 +60,5 @@ related:
     - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
     - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
     - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
+    - https://advisories.gitlab.com/pkg/gem/phlex/GHSA-w67g-2h6v-vjgq
     - https://github.com/advisories/GHSA-w67g-2h6v-vjgq

gems/spree_api/GHSA-87fh-rc96-6fr6.yml gems/spree_api/CVE-2026-25758.ymlgems/spree_api/GHSA-87fh-rc96-6fr6.yml renamed to gems/spree_api/CVE-2026-25758.yml

@@ -1,5 +1,6 @@
 ---
 gem: spree_api
+cve: 2026-25758
 ghsa: 87fh-rc96-6fr6
 url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
 title: Unauthenticated Spree Commerce users can access all guest addresses
@@ -17,8 +18,8 @@ description: |
 
   ### Impact
 
-  This issue may lead to disclosure of PII of guest users (including
-  names, addresses and phone numbers).
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
 
   ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)
 
@@ -54,8 +55,8 @@ description: |
 
   #### Impact
 
-  This issue may lead to disclosure of PII of guest users (including
-  names, addresses and phone numbers).
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
 
   #### CWEs
 
@@ -64,8 +65,7 @@ description: |
 
   ### Credit
 
-  This issue was discovered with the [GitHub Security Lab Taskflow
-  Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+  This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
   and manually verified by GHSL team members
   [@p- (Peter Stöckli)](https://github.com/p-) and
   [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
@@ -74,6 +74,7 @@ description: |
 
   This report is subject to a 90-day disclosure deadline, as
   described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+cvss_v4: 7.7
 patched_versions:
   - "~> 4.10.3"
   - "~> 5.0.8"
@@ -82,6 +83,7 @@ patched_versions:
   - ">= 5.3.2"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-25758
     - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
     - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
     - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
@@ -92,6 +94,5 @@ related:
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
+    - https://advisories.gitlab.com/pkg/gem/spree_api/CVE-2026-25758
     - https://github.com/advisories/GHSA-87fh-rc96-6fr6
-notes: |
-  - CVE-2026-25758 in GHSA Advisory.

…spree_storefront/GHSA-p6pv-q7rc-g4h9.yml gems/spree_storefront/CVE-2026-25757.ymlgems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml renamed to gems/spree_storefront/CVE-2026-25757.yml gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml renamed to gems/spree_storefront/CVE-2026-25757.yml

@@ -1,5 +1,6 @@
 ---
 gem: spree_storefront
+cve: 2026-25757
 ghsa: p6pv-q7rc-g4h9
 url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
 title: Unauthenticated Spree Commerce users can view completed
@@ -12,14 +13,16 @@ description: |
   guest orders by order number alone, without requiring the
   associated order token.
 
-  Order lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):
+  Order lookup without enforcing token requirement in
+  [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):
 
   ```ruby
   @order = complete_order_finder.new(number: params[:id],
     token: params[:token], store: current_store).execute.first
   ```
 
   Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):
+
   ```ruby
   def authorize_access
     return true if @order.user_id.nil?
@@ -30,13 +33,13 @@ description: |
 
   If the attacker is in possession of a leaked Order ID, they might
   look it up directly via this API.
-  Alternatively, brute forcing all or parts of the possible
-  Order IDs might be feasible for an attacker. (The Order IDs
-  themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45),
-  but with relatively low entropy: by default an order ID has a
-  length of 9 and a base of 10, that would require an attacker to
-  perform 1 billion requests to gather all guest orders. (At an
-  assumed constant rate of 100 requests per second it would take 115 days.)
+  Alternatively, brute forcing all or parts of the possible Order IDs
+  might be feasible for an attacker. (The Order IDs themselves are
+  [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45),
+  but with relatively low entropy: by default an order ID has a length
+  of 9 and a base of 10, that would require an attacker to perform
+  1 billion requests to gather all guest orders. (At an assumed
+  constant rate of 100 requests per second it would take 115 days.)
 
   #### Impact
 
@@ -58,13 +61,15 @@ description: |
 
   This report is subject to a 90-day disclosure deadline, as
   described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+cvss_v4: 7.7
 patched_versions:
   - "~> 5.0.8"
   - "~> 5.1.10"
   - "~> 5.2.7"
   - ">= 5.3.2"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-25757
     - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
     - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
     - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
@@ -73,6 +78,5 @@ related:
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
     - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
+    - https://advisories.gitlab.com/pkg/gem/spree_storefront/CVE-2026-25757
     - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9
-notes: |
-  - CVE-2026-25757 in GHSA advisory.