VulnerableCode Package Details - pkg:gem/spree@1.3.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-cwh1-mmky-ukcx Aliases: CVE-2020-15269 GHSA-f8cm-364f-q9qh	Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.	3.7.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.0.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.1.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s4mu-v75h-dfep Aliases: OSVDB-119205	Private information access through CSRF A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.	2.2.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.3.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.4.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.0.rc4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-y37s-b27m-n7ad Aliases: CVE-2013-1656 GHSA-jxx8-v83v-rhw3	Authenticated administrators to execute arbitrary commands Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.	2.0.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-cwh1-mmky-ukcx
Aliases:
CVE-2020-15269
GHSA-f8cm-364f-q9qh

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.

3.7.11
Affected by 1 other vulnerability.

4.0.4
Affected by 1 other vulnerability.

4.1.11
Affected by 1 other vulnerability.

VCID-s4mu-v75h-dfep
Aliases:
OSVDB-119205

Private information access through CSRF A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.

2.2.10
Affected by 1 other vulnerability.

2.3.8
Affected by 1 other vulnerability.

2.4.5
Affected by 1 other vulnerability.

3.0.0.rc4
Affected by 1 other vulnerability.

VCID-y37s-b27m-n7ad
Aliases:
CVE-2013-1656
GHSA-jxx8-v83v-rhw3

Authenticated administrators to execute arbitrary commands Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.

2.0.0.rc1
Affected by 2 other vulnerabilities.

2.0.0
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-y37s-b27m-n7ad	Authenticated administrators to execute arbitrary commands Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.	CVE-2013-1656 GHSA-jxx8-v83v-rhw3

Vulnerability

Summary

Aliases

VCID-y37s-b27m-n7ad

CVE-2013-1656
GHSA-jxx8-v83v-rhw3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T16:16:47.399208+00:00	GHSA Importer	Affected by	VCID-y37s-b27m-n7ad	https://github.com/advisories/GHSA-jxx8-v83v-rhw3	38.6.0
2026-06-04T20:40:10.285689+00:00	GitLab Importer	Affected by	VCID-cwh1-mmky-ukcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2020-15269.yml	38.6.0
2026-06-04T20:04:44.241573+00:00	GitLab Importer	Affected by	VCID-s4mu-v75h-dfep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/OSVDB-119205.yml	38.6.0
2026-06-02T04:36:08.026389+00:00	GitLab Importer	Fixing	VCID-y37s-b27m-n7ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2013-1656.yml	38.6.0