Lucene search
K
SpreecommerceSpree

12 matches found

CVE
CVE
added 2013/03/08 6:0 p.m.87 views

CVE-2013-1656

CVE-2013-1656 affects Spree Commerce 1.0.x through 1.3.2, where remote authenticated administrators could instantiate arbitrary Ruby objects and execute commands via parameters (payment_method, promotion_action, promotion_rule, calculator_type) due to unsafe use of constantize in admin controller...

4.3CVSS7.5AI score0.01531EPSS
Web
CVE
CVE
added 2020/11/13 5:25 p.m.86 views

CVE-2020-26223

The CVE-2020-26223 issue affects Spree (Ruby on Rails) versions 3.7 and earlier than 3.7.13, 4.0.5, and 4.1.12, where an authorization bypass allows querying the API v2 Order Status endpoint with an empty string as the Order token. The vulnerability is mitigated by patches in 3.7.11, 4.0.4, and 4...

7.7CVSS6.4AI score0.01111EPSS
CVE
CVE
added 2012/04/04 10:0 p.m.69 views

CVE-2008-7311

CVE-2008-7311 concerns the Spree 0.2.0 session cookie store, which uses a hardcoded config.action_controller_session hash (secret key). This weak key material can allow remote attackers to bypass cryptographic protections by exploiting an application that contains this value in config/environment...

5CVSS6.8AI score0.01244EPSS
CVE
CVE
added 2010/11/17 3:0 p.m.57 views

CVE-2010-3978

Spree CVE-2010-3978 affects Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0. The issue is a JSON hijacking vulnerability where the application exchanges data via JSON without validating requests, enabling remote attackers to obtain sensitive information via admin endpoints: /admin/products.js...

5CVSS6.2AI score0.02534EPSS
CVE
CVE
added 2012/04/04 10:0 p.m.56 views

CVE-2008-7310

CVE-2008-7310 involves Spree 0.2.0 where improper mass assignment allows an attacker to manipulate a hash to set the Order state via a modified URL, bypassing the intended payment step. The core issue is inadequate restrictions on model attribute assignment, enabling remote modification of order ...

5CVSS6.8AI score0.01244EPSS
CVE
CVE
added 2013/03/08 6:0 p.m.52 views

CVE-2013-2506

The CVE-2013-2506 vulnerability affects spree_auth_devise within Spree 1.1.x (before 1.1.6) and in 1.2.x and 1.3.x, where app/models/spree/user.rb does not perform mass assignment safely during user updates. This allows remote authenticated users to assign arbitrary roles to themselves, indicatin...

4CVSS6.5AI score0.01265EPSS
CVE
CVE
added 2025/08/13 8:53 p.m.24 views

CVE-2011-10019

Spreecommerce before 0.60.2 is vulnerable to remote command execution via the search[send][] input, which is dynamically invoked using Ruby’s send method and not properly sanitized. This allows an unauthenticated attacker to execute arbitrary shell commands on the server. Affected component: sear...

10CVSS8.2AI score0.03818EPSS
CVE
CVE
added 2025/08/20 3:41 p.m.24 views

CVE-2011-10026

The CVE-2011-10026 issue affects Spreecommerce versions prior to 0.50.x, where the API search endpoint is vulnerable to remote command execution. The root cause is improper input sanitation that allows injection of arbitrary shell commands via the search[instance_eval] parameter, which is dynamic...

9.8CVSS7.4AI score0.02464EPSS
CVE
CVE
added 2026/01/08 8:53 p.m.20 views

CVE-2026-22588

Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...

6.5CVSS6.1AI score0.00371EPSS
CVE
CVE
added 2026/02/06 10:37 p.m.17 views

CVE-2026-25757

Spree (Ruby on Rails) is affected prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. The root cause is that the OrdersController#show endpoint allows unauthenticated access to view completed guest orders by Order ID, and authorize_access does not enforce proper authorization for guest orders. Thi...

8.7CVSS5.3AI score0.00441EPSS
CVE
CVE
added 2026/01/10 3:17 a.m.13 views

CVE-2026-22589

CVE-2026-22589 affects Spree (Rails e-commerce); unauthenticated IDOR allows access to guest address data. Affected: Spree versions before 4.10.2, 5.0.7, 5.1.9, and 5.2.5. Patch/mitigation: upgrade to 4.10.2+, 5.0.7+, 5.1.9+, or 5.2.5+. Root cause cited as faulty authorization (CanCanCan) leading...

7.5CVSS6.4AI score0.00383EPSS
CVE
CVE
added 2026/02/06 9:29 p.m.13 views

CVE-2026-25758

CVE-2026-25758 is a high-severity IDOR in Spree Commerce’s guest checkout that lets an attacker bind arbitrary guest addresses to an order by manipulating plain address_id parameters. The issue bypasses ownership validation because guest orders have nil user_id, rendering the checks in address_bo...

8.7CVSS5.6AI score0.00599EPSS