175 matches found
PT-2026-2215
Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Unauthenticated Insecure Direct Objec...
CVE-2008-7311
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.actioncontrollersession hash value aka secret key, which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the...
GHSA-3GHG-3787-W2XR Spree API has Unauthenticated IDOR - Guest Address
Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...
Spree API has Unauthenticated IDOR - Guest Address
Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...
Authorization Bypass Through User-Controlled Key
Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the checkout endpoint. An attacker can access and retrieve address information belonging to other users by modifying the address identifier in the order...
CVE-2026-22588
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
EUVD-2026-1421
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588
Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
Spree 安全漏洞
Spree is an open source shopping mall using Ruby on Rails for individual developers. A security vulnerability exists in Spree versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5, which stems from an insecure direct object reference by an authenticated user that could lead to obtaining other users'...
PT-2026-2214
Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Authenticated Insecure Direct Object...
Spree API has Unauthenticated IDOR - Guest Address
Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
2 US Cybersecurity Experts Guilty of Extortion Scheme for ALPHV Ransomware
Can you trust your cybersecurity team? A recent federal case reveals how two US-based cybersecurity experts turned into affiliates for the BlackCat ransomware group, extorting over $1.2M in Bitcoin. Read the full story on their 2023 crime spree...
MAL-2025-185565 Malicious code in array-async-export-lambda-transpile (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1c2bf7c9af1def9500860d07c8a0a69f31f3575833535c28b6b1d0715a5dd9f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in dono-tapai45-breki (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 804d8ca013c250b43b6a41292ece5d1a6f356b33923f21c00b2eeec5d7f1c39f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-56865 Malicious code in irma-brongkos82-sukiwir (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0a4c62519404de950be28964f0da9e057b1d723453649603e3b0b99291e3364 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2020-1427
Malware in sbrugna...