spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles

🗓️ 17 May 2022 05:13:40Reported by GitHub Advisory DatabaseType

github

github🔗 github.com👁 12 Views

spree_auth_devise user.rb mass assignment vulnerabilit

Reporter	Title	Published	Views	Family All 9
CVE	CVE-2013-2506	8 Mar 201318:00	–	cve
Cvelist	CVE-2013-2506	8 Mar 201318:00	–	cvelist
EUVD	EUVD-2022-4406	3 Oct 202520:07	–	euvd
NVD	CVE-2013-2506	8 Mar 201318:55	–	nvd
OSV	GHSA-JP57-9J37-5476 spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles	17 May 202205:13	–	osv
Prion	Design/Logic Flaw	8 Mar 201318:55	–	prion
RubySec	Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation	21 Feb 201300:00	–	rubygems
RubySec	Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation	21 Feb 201300:00	–	rubygems
RubySec	Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation	21 Feb 201300:00	–	rubygems

Vulners

Node

spreecommerce spree_auth_deviseRange1.0.0–3.0.5rubygems

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2013-2506
github	www.github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
github	www.github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
web	www.web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
github	www.github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
github	www.github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
web	www.web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
github	www.github.com/advisories/GHSA-jp57-9j37-5476

03 Jul 2023 21:54Current

6.2Medium risk

Vulners AI Score6.2

CVSS 24

EPSS0.00171

spree_auth_devise user.rb vulnerability mass assignment