Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree@1.3.2
purl pkg:gem/spree@1.3.2
Next non-vulnerable version 3.7.13
Latest non-vulnerable version 5.4.3
Risk 4.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-cwh1-mmky-ukcx
Aliases:
CVE-2020-15269
GHSA-f8cm-364f-q9qh
Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.
3.7.11
Affected by 1 other vulnerability.
4.0.4
Affected by 1 other vulnerability.
4.1.11
Affected by 1 other vulnerability.
VCID-s4mu-v75h-dfep
Aliases:
OSVDB-119205
Private information access through CSRF A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.
2.2.10
Affected by 1 other vulnerability.
2.3.8
Affected by 1 other vulnerability.
2.4.5
Affected by 1 other vulnerability.
3.0.0.rc4
Affected by 1 other vulnerability.
VCID-t9gu-2vs3-g7cu
Aliases:
CVE-2013-2506
GHSA-jp57-9j37-5476
OSV-90865
Permissions, Privileges, and Access Controls app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
3.0.5
Affected by 1 other vulnerability.
VCID-y37s-b27m-n7ad
Aliases:
CVE-2013-1656
GHSA-jxx8-v83v-rhw3
Authenticated administrators to execute arbitrary commands Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
1.3.3
Affected by 3 other vulnerabilities.
2.0.0.rc1
Affected by 2 other vulnerabilities.
2.0.0
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-05T16:16:47.395290+00:00 GHSA Importer Affected by VCID-y37s-b27m-n7ad https://github.com/advisories/GHSA-jxx8-v83v-rhw3 38.6.0
2026-06-04T20:40:10.281781+00:00 GitLab Importer Affected by VCID-cwh1-mmky-ukcx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2020-15269.yml 38.6.0
2026-06-04T20:04:44.240115+00:00 GitLab Importer Affected by VCID-s4mu-v75h-dfep https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/OSVDB-119205.yml 38.6.0
2026-06-04T18:08:32.584821+00:00 Ruby Importer Affected by VCID-t9gu-2vs3-g7cu https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-2506.yml 38.6.0
2026-06-04T18:08:32.089378+00:00 Ruby Importer Affected by VCID-y37s-b27m-n7ad https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml 38.6.0
2026-06-02T04:36:08.111119+00:00 GitLab Importer Affected by VCID-t9gu-2vs3-g7cu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2013-2506.yml 38.6.0
2026-06-02T04:36:08.015855+00:00 GitLab Importer Affected by VCID-y37s-b27m-n7ad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2013-1656.yml 38.6.0