4 matches found
CVE-2013-1656
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/paymentmethodscontroller.rb; and the 2 promotionaction parameter to...
CVE-2013-1656
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/paymentmethodscontroller.rb; and the 2 promotionaction parameter to...
CVE-2013-1656
CVE-2013-1656 affects Spree Commerce 1.0.x through 1.3.2, where remote authenticated administrators could instantiate arbitrary Ruby objects and execute commands via parameters (payment_method, promotion_action, promotion_rule, calculator_type) due to unsafe use of constantize in admin controller...
Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution
Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and executd arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/ paymentmethodscontroller.rb; and the 2 promotionaction parameter to...