Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Spreecommerce Security Vulnerabilities

cve
cve

CVE-2021-41275

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user...

9.3CVSS

8.5AI Score

0.001EPSS

2021-11-17 08:15 PM
49
4
cve
cve

CVE-2008-7310

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment"...

6.8AI Score

0.001EPSS

2022-10-03 04:13 PM
32
cve
cve

CVE-2008-7311

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the...

6.8AI Score

0.001EPSS

2022-10-03 04:13 PM
43
cve
cve

CVE-2020-26223

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an...

7.7CVSS

6.2AI Score

0.002EPSS

2020-11-13 06:15 PM
62
cve
cve

CVE-2013-1656

Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to...

7.5AI Score

0.003EPSS

2013-03-08 06:55 PM
49
cve
cve

CVE-2013-2506

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to...

6.5AI Score

0.001EPSS

2013-03-08 06:55 PM
28
cve
cve

CVE-2010-3978

Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3)...

6.2AI Score

0.005EPSS

2010-11-17 04:00 PM
28