CVE-2013-2506
The CVE-2013-2506 vulnerability affects spree_auth_devise within Spree 1.1.x (before 1.1.6) and in 1.2.x and 1.3.x, where app/models/spree/user.rb does not perform mass assignment safely during user updates. This allows remote authenticated users to assign arbitrary roles to themselves, indicatin...