Search for packages
| purl | pkg:gem/spree@0.30.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7jum-4ny7-xuhy
Aliases: CVE-2011-10019 GHSA-97vm-c39p-jr86 OSV-76011 |
Remote Command Execution in Spree search functionality Spree versions prior to 0.60.2 contain a remote command execution vulnerability in the search functionality. The application fails to properly sanitize input passed via the `search[:send][]` parameter, which is dynamically invoked using Ruby’s `send` method. This allows attackers to execute arbitrary shell commands on the server without authentication. |
Affected by 4 other vulnerabilities. |
|
VCID-cwh1-mmky-ukcx
Aliases: CVE-2020-15269 GHSA-f8cm-364f-q9qh |
Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-s4mu-v75h-dfep
Aliases: OSVDB-119205 |
Private information access through CSRF A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-t9gu-2vs3-g7cu
Aliases: CVE-2013-2506 GHSA-jp57-9j37-5476 OSV-90865 |
Permissions, Privileges, and Access Controls app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-w5fg-qcqv-uugu
Aliases: CVE-2011-10026 GHSA-x485-rhg3-cqr4 |
Spree Commerce is vulnerable to RCE through Search API Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server. |
Affected by 5 other vulnerabilities. |
|
VCID-y37s-b27m-n7ad
Aliases: CVE-2013-1656 GHSA-jxx8-v83v-rhw3 |
Authenticated administrators to execute arbitrary commands Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||