Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree@0.60.2
purl pkg:gem/spree@0.60.2
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-1e2j-1256-13g1
Aliases:
CVE-2013-2506
GHSA-jp57-9j37-5476
OSV-90865
1.2.0.rc1
Affected by 5 other vulnerabilities.
1.2.0
Affected by 5 other vulnerabilities.
1.3.0
Affected by 5 other vulnerabilities.
3.0.5
Affected by 2 other vulnerabilities.
VCID-21sq-xn6a-bbb4
Aliases:
OSVDB-119205
Private information access through CSRF A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.
2.2.10
Affected by 2 other vulnerabilities.
2.3.8
Affected by 2 other vulnerabilities.
2.4.5
Affected by 2 other vulnerabilities.
3.0.0.rc4
Affected by 2 other vulnerabilities.
VCID-8etx-g5nr-bkhf
Aliases:
CVE-2013-1656
GHSA-jxx8-v83v-rhw3
Spree Improper Input Validation vulnerability
1.3.3
Affected by 3 other vulnerabilities.
2.0.0.rc1
Affected by 3 other vulnerabilities.
2.0.0
Affected by 3 other vulnerabilities.
VCID-8mxp-3pu4-uqg8
Aliases:
CVE-2020-15269
GHSA-f8cm-364f-q9qh
Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls
3.7.11
Affected by 3 other vulnerabilities.
4.0.4
Affected by 3 other vulnerabilities.
4.1.11
Affected by 3 other vulnerabilities.
VCID-tkvr-997w-7qe7
Aliases:
GHSA-xf4v-w5x5-pv79
Spree: CSV Formula Injection in Customer Export
5.2.8
Affected by 1 other vulnerability.
5.3.6
Affected by 1 other vulnerability.
5.4.3
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-7jpb-r4mg-aud3 Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication. CVE-2011-10019
GHSA-97vm-c39p-jr86
OSV-76011

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T09:29:09.116238+00:00 Ruby Importer Affected by VCID-tkvr-997w-7qe7 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/GHSA-xf4v-w5x5-pv79.yml 38.6.0
2026-06-13T09:20:52.593762+00:00 Ruby Importer Affected by VCID-8mxp-3pu4-uqg8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml 38.6.0
2026-06-13T09:17:26.911976+00:00 Ruby Importer Affected by VCID-1e2j-1256-13g1 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-2506.yml 38.6.0
2026-06-13T09:17:26.467440+00:00 Ruby Importer Affected by VCID-8etx-g5nr-bkhf https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml 38.6.0
2026-06-12T20:09:30.847950+00:00 GitLab Importer Fixing VCID-7jpb-r4mg-aud3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2011-10019.yml 38.6.0
2026-06-12T17:28:54.776119+00:00 GitLab Importer Affected by VCID-8mxp-3pu4-uqg8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2020-15269.yml 38.6.0
2026-06-12T16:48:18.182747+00:00 GitLab Importer Affected by VCID-21sq-xn6a-bbb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/OSVDB-119205.yml 38.6.0
2026-06-12T16:46:22.624698+00:00 GitLab Importer Affected by VCID-1e2j-1256-13g1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2013-2506.yml 38.6.0
2026-06-12T07:53:41.418263+00:00 GithubOSV Importer Fixing VCID-7jpb-r4mg-aud3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-97vm-c39p-jr86/GHSA-97vm-c39p-jr86.json 38.6.0