Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/spree@1.3.0
Typegem
Namespace
Namespree
Version1.3.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.7.13
Latest_non_vulnerable_version5.4.3
Affected_by_vulnerabilities
0
url VCID-cwh1-mmky-ukcx
vulnerability_id VCID-cwh1-mmky-ukcx
summary 
Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls
### Impact

The perpetrator who previously obtained an old expired user
token could use it to access Storefront API v2 endpoints.

### Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15269
reference_id
reference_type
scores
0
value 0.00257
scoring_system epss
scoring_elements 0.49283
published_at 2026-06-04T12:55:00Z
1
value 0.00257
scoring_system epss
scoring_elements 0.49344
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15269
1
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml
2
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
3
reference_url https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
4
reference_url https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements
1
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15269
reference_id CVE-2020-15269
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15269
6
reference_url https://github.com/advisories/GHSA-f8cm-364f-q9qh
reference_id GHSA-f8cm-364f-q9qh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f8cm-364f-q9qh
fixed_packages
0
url pkg:gem/spree@3.7.11
purl pkg:gem/spree@3.7.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.7.11
1
url pkg:gem/spree@4.0.4
purl pkg:gem/spree@4.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.0.4
2
url pkg:gem/spree@4.1.11
purl pkg:gem/spree@4.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.1.11
aliases CVE-2020-15269, GHSA-f8cm-364f-q9qh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cwh1-mmky-ukcx
1
url VCID-s4mu-v75h-dfep
vulnerability_id VCID-s4mu-v75h-dfep
summary 
Private information access through CSRF
A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.
references
0
reference_url http://osvdb.org/show/osvdb/119205
reference_id
reference_type
scores
url http://osvdb.org/show/osvdb/119205
1
reference_url https://spreecommerce.com/blog/security-updates-2015-3-3
reference_id
reference_type
scores
url https://spreecommerce.com/blog/security-updates-2015-3-3
fixed_packages
0
url pkg:gem/spree@2.2.10
purl pkg:gem/spree@2.2.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.2.10
1
url pkg:gem/spree@2.3.8
purl pkg:gem/spree@2.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.3.8
2
url pkg:gem/spree@2.4.5
purl pkg:gem/spree@2.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.4.5
3
url pkg:gem/spree@3.0.0.rc4
purl pkg:gem/spree@3.0.0.rc4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.0.rc4
aliases OSVDB-119205
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s4mu-v75h-dfep
2
url VCID-t9gu-2vs3-g7cu
vulnerability_id VCID-t9gu-2vs3-g7cu
summary 
Permissions, Privileges, and Access Controls
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
reference_id
reference_type
scores
0
value 0.00171
scoring_system epss
scoring_elements 0.38145
published_at 2026-06-05T12:55:00Z
1
value 0.00171
scoring_system epss
scoring_elements 0.38055
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
1
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
2
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
3
reference_url https://github.com/spree/spree_auth_devise
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise
4
reference_url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
5
reference_url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
6
reference_url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
7
reference_url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
8
reference_url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
9
reference_url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
reference_id CVE-2013-2506
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
fixed_packages
0
url pkg:gem/spree@3.0.5
purl pkg:gem/spree@3.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.5
aliases CVE-2013-2506, GHSA-jp57-9j37-5476, OSV-90865
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gu-2vs3-g7cu
3
url VCID-y37s-b27m-n7ad
vulnerability_id VCID-y37s-b27m-n7ad
summary 
Authenticated administrators to execute arbitrary commands
Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1656
reference_id
reference_type
scores
0
value 0.00305
scoring_system epss
scoring_elements 0.54043
published_at 2026-06-04T12:55:00Z
1
value 0.00305
scoring_system epss
scoring_elements 0.541
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1656
2
reference_url https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
3
reference_url https://github.com/advisories/GHSA-jxx8-v83v-rhw3
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxx8-v83v-rhw3
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml
5
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
6
reference_url https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1656
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1656
8
reference_url https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt
9
reference_url https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
10
reference_url https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html
fixed_packages
0
url pkg:gem/spree@1.3.3
purl pkg:gem/spree@1.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
2
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.3
1
url pkg:gem/spree@2.0.0.rc1
purl pkg:gem/spree@2.0.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0.rc1
2
url pkg:gem/spree@2.0.0
purl pkg:gem/spree@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0
aliases CVE-2013-1656, GHSA-jxx8-v83v-rhw3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y37s-b27m-n7ad
Fixing_vulnerabilities
0
url VCID-t9gu-2vs3-g7cu
vulnerability_id VCID-t9gu-2vs3-g7cu
summary 
Permissions, Privileges, and Access Controls
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
reference_id
reference_type
scores
0
value 0.00171
scoring_system epss
scoring_elements 0.38145
published_at 2026-06-05T12:55:00Z
1
value 0.00171
scoring_system epss
scoring_elements 0.38055
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
1
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
2
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
3
reference_url https://github.com/spree/spree_auth_devise
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise
4
reference_url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
5
reference_url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
6
reference_url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
7
reference_url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
8
reference_url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
9
reference_url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
reference_id CVE-2013-2506
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
fixed_packages
0
url pkg:gem/spree@1.2.0.rc1
purl pkg:gem/spree@1.2.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
2
vulnerability VCID-t9gu-2vs3-g7cu
3
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0.rc1
1
url pkg:gem/spree@1.2.0
purl pkg:gem/spree@1.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
2
vulnerability VCID-t9gu-2vs3-g7cu
3
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0
2
url pkg:gem/spree@1.3.0
purl pkg:gem/spree@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
1
vulnerability VCID-s4mu-v75h-dfep
2
vulnerability VCID-t9gu-2vs3-g7cu
3
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.0
3
url pkg:gem/spree@3.0.5
purl pkg:gem/spree@3.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.5
aliases CVE-2013-2506, GHSA-jp57-9j37-5476, OSV-90865
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gu-2vs3-g7cu
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.0