CVE-2013-1656
CVE-2013-1656 affects Spree Commerce 1.0.x through 1.3.2, where remote authenticated administrators could instantiate arbitrary Ruby objects and execute commands via parameters (payment_method, promotion_action, promotion_rule, calculator_type) due to unsafe use of constantize in admin controller...