Remote Command Execution in Spree search functionality
Spree versions prior to 0.60.2 contain a remote command execution vulnerability in the search functionality. The application fails to properly sanitize input passed via the search:send parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary she...