GHSA-JXX8-V83V-RHW3 Spree Improper Input Validation vulnerability

Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/paymentmethodscontroller.rb; and the 2 promotionaction parameter to...

Spree Improper Input Validation vulnerability

Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/paymentmethodscontroller.rb; and the 2 promotionaction parameter to...

CVE-2013-1656

CVE-2013-1656 affects Spree Commerce 1.0.x through 1.3.2, where remote authenticated administrators could instantiate arbitrary Ruby objects and execute commands via parameters (payment_method, promotion_action, promotion_rule, calculator_type) due to unsafe use of constantize in admin controller...

Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree contains a flaw that is triggered when handling input passed via the 'paymentmethod' parameter to paymentmethodscontroller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands...

Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and executd arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/ paymentmethodscontroller.rb; and the 2 promotionaction parameter to...

Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree contains a flaw that is triggered when handling input passed via the 'promotionrule' parameter to promotionrulescontroller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands...

Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree contains a flaw that is triggered when handling input passed via the 'calculatortype' parameter to promotionscontroller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands...