Lucene search
+L

175 matches found

Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.7 views

PT-2026-2215

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Unauthenticated Insecure Direct Objec...

7.5CVSS6.5AI score0.00383EPSS
Exploits1References14
RedhatCVE
RedhatCVE
added 2026/01/09 10:27 a.m.14 views

CVE-2008-7311

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.actioncontrollersession hash value aka secret key, which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the...

5CVSS6.9AI score0.01244EPSS
Exploits0References1
OSV
OSV
added 2026/01/08 9:28 p.m.6 views

GHSA-3GHG-3787-W2XR Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

7.5CVSS6.8AI score0.00383EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2026/01/08 9:28 p.m.10 views

Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

7.5CVSS6.9AI score0.00383EPSS
Exploits1References8Affected Software1
Snyk
Snyk
added 2026/01/08 9:27 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the checkout endpoint. An attacker can access and retrieve address information belonging to other users by modifying the address identifier in the order...

7.1CVSS6.9AI score0.00371EPSS
Exploits1References2
NVD
NVD
added 2026/01/08 9:15 p.m.38 views

CVE-2026-22588

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...

6.5CVSS0.00371EPSS
Exploits1References5
EUVD
EUVD
added 2026/01/08 8:53 p.m.7 views

EUVD-2026-1421

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...

6.5CVSS6AI score0.00371EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/01/08 8:53 p.m.24 views

CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...

6.5CVSS0.00371EPSS
Exploits1References5
CVE
CVE
added 2026/01/08 8:53 p.m.21 views

CVE-2026-22588

Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...

6.5CVSS6.1AI score0.00371EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/01/08 8:53 p.m.18 views

CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...

6.5CVSS6.1AI score0.00371EPSS
Exploits1References7
Vulnrichment
Vulnrichment
added 2026/01/08 8:53 p.m.7 views

CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...

6.5CVSS6.1AI score0.00371EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/01/08 12:0 a.m.7 views

Spree 安全漏洞

Spree is an open source shopping mall using Ruby on Rails for individual developers. A security vulnerability exists in Spree versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5, which stems from an insecure direct object reference by an authenticated user that could lead to obtaining other users'...

6.5CVSS6.3AI score0.00371EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/01/08 12:0 a.m.12 views

PT-2026-2214

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Authenticated Insecure Direct Object...

6.5CVSS6.2AI score0.00371EPSS
Exploits1References16
RubySec
RubySec
added 2026/01/08 12:0 a.m.8 views

Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

7.5CVSS6.7AI score0.00383EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/01/08 12:0 a.m.9 views

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...

6.5CVSS6.1AI score0.00371EPSS
Exploits1References1Affected Software1
HackRead
HackRead
added 2025/12/31 1:7 p.m.6 views

2 US Cybersecurity Experts Guilty of Extortion Scheme for ALPHV Ransomware

Can you trust your cybersecurity team? A recent federal case reveals how two US-based cybersecurity experts turned into affiliates for the BlackCat ransomware group, extorting over $1.2M in Bitcoin. Read the full story on their 2023 crime spree...

7AI score
Exploits0
OSV
OSV
added 2025/11/13 3:23 a.m.3 views

MAL-2025-185565 Malicious code in array-async-export-lambda-transpile (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1c2bf7c9af1def9500860d07c8a0a69f31f3575833535c28b6b1d0715a5dd9f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/11 2:29 a.m.2 views

Malicious code in dono-tapai45-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 804d8ca013c250b43b6a41292ece5d1a6f356b33923f21c00b2eeec5d7f1c39f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSV
OSV
added 2025/11/10 5:21 p.m.2 views

MAL-2025-56865 Malicious code in irma-brongkos82-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0a4c62519404de950be28964f0da9e057b1d723453649603e3b0b99291e3364 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2020-1427

Malware in sbrugna...

9.1CVSS9AI score0.01064EPSS
Exploits0References6
Rows per page
Query Builder