Search criteria
9 vulnerabilities by spreecommerce
CVE-2011-10026 (GCVE-0-2011-10026)
Vulnerability from cvelistv5 – Published: 2025-08-20 15:41 – Updated: 2025-11-25 14:19
VLAI?
Summary
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spreecommerce | Spreecommerce |
Affected:
* , < 0.50.x
(semver)
|
Credits
Joernchen (Phenoelit)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2011-10026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T18:45:19.867407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T18:45:28.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"API search functionality (searchlogic)",
"search[instance_eval] parameter"
],
"product": "Spreecommerce",
"vendor": "Spreecommerce",
"versions": [
{
"lessThan": "0.50.x",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.50",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joernchen (Phenoelit)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API\u0027s search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby\u2019s send method. This flaw enables unauthenticated attackers to execute commands on the server."
}
],
"value": "Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API\u0027s search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby\u2019s send method. This flaw enables unauthenticated attackers to execute commands on the server."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:19:12.623Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/17199"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes"
},
{
"tags": [
"product"
],
"url": "https://github.com/spree"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/spreecommerce-api-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spreecommerce \u003c 0.50.x API RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2011-10026",
"datePublished": "2025-08-20T15:41:40.151Z",
"dateReserved": "2025-08-18T20:39:27.409Z",
"dateUpdated": "2025-11-25T14:19:12.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2011-10019 (GCVE-0-2011-10019)
Vulnerability from cvelistv5 – Published: 2025-08-13 20:53 – Updated: 2025-11-20 02:01
VLAI?
Summary
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spreecommerce | Spreecommerce |
Affected:
* , < 0.60.2
(semver)
|
Credits
joernchen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2011-10019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:45:30.960902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:52:06.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"search[send][]",
"Kernel.fork",
"eval"
],
"product": "Spreecommerce",
"vendor": "Spreecommerce",
"versions": [
{
"lessThan": "0.60.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.60.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "joernchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby\u2019s send method. This allows attackers to execute arbitrary shell commands on the server without authentication."
}
],
"value": "Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby\u2019s send method. This allows attackers to execute arbitrary shell commands on the server without authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T02:01:10.285Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/17941"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce"
},
{
"tags": [
"product"
],
"url": "https://github.com/orgs/spree"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spreecommerce \u003c 0.60.2 Search Parameter RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2011-10019",
"datePublished": "2025-08-13T20:53:33.577Z",
"dateReserved": "2025-08-13T18:01:12.138Z",
"dateUpdated": "2025-11-20T02:01:10.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-41275 (GCVE-0-2021-41275)
Vulnerability from cvelistv5 – Published: 2021-11-17 19:50 – Updated: 2024-08-04 03:08
VLAI?
Summary
spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch �� ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Severity ?
9.3 (Critical)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| spree | spree_auth_devise |
Affected:
>= 4.3.0, < 4.4.1
Affected: >= 4.2.0, < 4.2.1 Affected: >= 4.1.0, < 4.1.1 Affected: < 4.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "spree_auth_devise",
"vendor": "spree",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.1"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.1"
},
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T19:50:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
}
],
"source": {
"advisory": "GHSA-26xx-m4q2-xhq8",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass by CSRF Weakness",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41275",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass by CSRF Weakness"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "spree_auth_devise",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.3.0, \u003c 4.4.1"
},
{
"version_value": "\u003e= 4.2.0, \u003c 4.2.1"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.1"
},
{
"version_value": "\u003c 4.0.1"
}
]
}
}
]
},
"vendor_name": "spree"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8",
"refsource": "CONFIRM",
"url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
},
{
"name": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63",
"refsource": "MISC",
"url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
}
]
},
"source": {
"advisory": "GHSA-26xx-m4q2-xhq8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41275",
"datePublished": "2021-11-17T19:50:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26223 (GCVE-0-2020-26223)
Vulnerability from cvelistv5 – Published: 2020-11-13 17:25 – Updated: 2024-08-04 15:49
VLAI?
Summary
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
Severity ?
7.7 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spree/spree/pull/10573"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "spree",
"vendor": "spree",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.7.0, \u003c 3.7.13"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree \u003c 3.7 are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-13T17:25:20",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spree/spree/pull/10573"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status"
}
],
"source": {
"advisory": "GHSA-m2jr-hmc3-qmpr",
"discovery": "UNKNOWN"
},
"title": "Authorization bypass in Spree",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26223",
"STATE": "PUBLIC",
"TITLE": "Authorization bypass in Spree"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "spree",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.7.0, \u003c 3.7.13"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"version_value": "\u003e= 4.1.0, \u003c 4.1.12"
}
]
}
}
]
},
"vendor_name": "spree"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree \u003c 3.7 are not affected."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr",
"refsource": "CONFIRM",
"url": "https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr"
},
{
"name": "https://github.com/spree/spree/pull/10573",
"refsource": "MISC",
"url": "https://github.com/spree/spree/pull/10573"
},
{
"name": "https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status",
"refsource": "MISC",
"url": "https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status"
}
]
},
"source": {
"advisory": "GHSA-m2jr-hmc3-qmpr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26223",
"datePublished": "2020-11-13T17:25:20",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:49:07.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2506 (GCVE-0-2013-2506)
Vulnerability from cvelistv5 – Published: 2013-03-08 18:00 – Updated: 2024-08-06 15:44
VLAI?
Summary
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:44:32.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-17T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-2506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"refsource": "CONFIRM",
"url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-2506",
"datePublished": "2013-03-08T18:00:00",
"dateReserved": "2013-03-08T00:00:00",
"dateUpdated": "2024-08-06T15:44:32.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1656 (GCVE-0-2013-1656)
Vulnerability from cvelistv5 – Published: 2013-03-08 18:00 – Updated: 2024-08-06 15:13
VLAI?
Summary
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:32.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.conviso.com.br/advisories/CVE-2013-1656.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-28T11:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.conviso.com.br/advisories/CVE-2013-1656.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html",
"refsource": "MISC",
"url": "http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html"
},
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "https://www.conviso.com.br/advisories/CVE-2013-1656.txt",
"refsource": "MISC",
"url": "https://www.conviso.com.br/advisories/CVE-2013-1656.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-1656",
"datePublished": "2013-03-08T18:00:00",
"dateReserved": "2013-02-11T00:00:00",
"dateUpdated": "2024-08-06T15:13:32.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-7310 (GCVE-0-2008-7310)
Vulnerability from cvelistv5 – Published: 2012-04-04 22:00 – Updated: 2024-09-16 23:30
VLAI?
Summary
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:03:36.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-04-04T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7310",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/"
},
{
"name": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment",
"refsource": "MISC",
"url": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7310",
"datePublished": "2012-04-04T22:00:00Z",
"dateReserved": "2012-04-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:30:34.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-7311 (GCVE-0-2008-7311)
Vulnerability from cvelistv5 – Published: 2012-04-04 22:00 – Updated: 2024-09-17 00:06
VLAI?
Summary
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:03:36.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.spreehq.org/issues/show/63"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-04-04T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.spreehq.org/issues/show/63"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://support.spreehq.org/issues/show/63",
"refsource": "CONFIRM",
"url": "http://support.spreehq.org/issues/show/63"
},
{
"name": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7311",
"datePublished": "2012-04-04T22:00:00Z",
"dateReserved": "2012-04-04T00:00:00Z",
"dateUpdated": "2024-09-17T00:06:53.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3978 (GCVE-0-2010-3978)
Vulnerability from cvelistv5 – Published: 2010-11-17 15:00 – Updated: 2024-08-07 03:26
VLAI?
Summary
Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:12.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.conviso.com.br/json-hijacking-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://twitter.com/conviso/statuses/29555076248"
},
{
"name": "20101108 Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514674/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a \"JSON hijacking\" issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.conviso.com.br/json-hijacking-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://twitter.com/conviso/statuses/29555076248"
},
{
"name": "20101108 Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514674/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3978",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a \"JSON hijacking\" issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.conviso.com.br/json-hijacking-vulnerability/",
"refsource": "MISC",
"url": "http://www.conviso.com.br/json-hijacking-vulnerability/"
},
{
"name": "http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/"
},
{
"name": "https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac",
"refsource": "CONFIRM",
"url": "https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac"
},
{
"name": "http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/"
},
{
"name": "https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135",
"refsource": "CONFIRM",
"url": "https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135"
},
{
"name": "http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/",
"refsource": "MISC",
"url": "http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/"
},
{
"name": "http://twitter.com/conviso/statuses/29555076248",
"refsource": "MISC",
"url": "http://twitter.com/conviso/statuses/29555076248"
},
{
"name": "20101108 Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514674/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3978",
"datePublished": "2010-11-17T15:00:00",
"dateReserved": "2010-10-18T00:00:00",
"dateUpdated": "2024-08-07T03:26:12.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}