VulnerableCode Vulnerability Details - VCID-fsst-gsez-k3fz

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fsst-gsez-k3fz

Essentials
Severities (15)
References (17)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fsst-gsez-k3fz
Aliases	CVE-2010-3978 GHSA-hwrx-wc75-mgh7 OSV-69098
Summary	Exposure of Sensitive Information to an Unauthorized Actor Spree exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00635	https://api.first.org/data/v1/epss?cve=CVE-2010-3978
epss	0.00635	https://api.first.org/data/v1/epss?cve=CVE-2010-3978
epss	0.00635	https://api.first.org/data/v1/epss?cve=CVE-2010-3978
generic_textual	MODERATE	https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac
generic_textual	MODERATE	https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2010-3978.yml
generic_textual	MODERATE	https://github.com/spree/spree
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2010-3978
generic_textual	MODERATE	http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability
generic_textual	MODERATE	http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released
generic_textual	MODERATE	https://spreecommerce.com/blog/json-hijacking-vulnerability
generic_textual	MODERATE	http://twitter.com/conviso/statuses/29555076248
generic_textual	MODERATE	http://www.conviso.com.br/json-hijacking-vulnerability
generic_textual	MODERATE	http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x
generic_textual	MODERATE	http://www.securityfocus.com/archive/1/514674/100/0/threaded

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2010-3978
		https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac
		https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2010-3978.yml
		https://github.com/spree/spree
		http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability
		http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/
		http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released
		http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/
		https://spreecommerce.com/blog/json-hijacking-vulnerability
		http://twitter.com/conviso/statuses/29555076248
		http://www.conviso.com.br/json-hijacking-vulnerability
		http://www.conviso.com.br/json-hijacking-vulnerability/
		http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x
		http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/
		http://www.securityfocus.com/archive/1/514674/100/0/threaded
CVE-2010-3978		https://nvd.nist.gov/vuln/detail/CVE-2010-3978

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.7078
EPSS Score	0.00635
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:36:03.868919+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree/CVE-2010-3978.yml	38.6.0