Spree Security Vulnerabilities and Issues — Spree CVE List

Lucene search

SpreecommerceSpree

8 matches found

CVE•added 2020/11/13 6:15 p.m.•76 views

CVE-2020-26223

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order...

7.7CVSS6.4AI score0.00267EPSS

CVE•added 2013/03/08 6:55 p.m.•73 views

CVE-2013-1656

Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promot...

4.3CVSS7.5AI score0.00305EPSS

Web

CVE•added 2012/04/05 1:25 p.m.•60 views

CVE-2008-7311

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/envi...

5CVSS6.8AI score0.00158EPSS

CVE•added 2010/11/17 4:0 p.m.•46 views

CVE-2010-3978

Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/ove...

5CVSS6.2AI score0.00635EPSS

CVE•added 2012/04/05 1:25 p.m.•45 views

CVE-2008-7310

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.

5CVSS6.8AI score0.00158EPSS

CVE•added 2013/03/08 6:55 p.m.•42 views

CVE-2013-2506

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

4CVSS6.5AI score0.00171EPSS

CVE•added 2025/08/13 9:15 p.m.•10 views

CVE-2011-10019

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arb...

10CVSS8.2AI score0.01392EPSS

CVE•added 2025/08/20 4:15 p.m.•9 views

CVE-2011-10026

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. Th...

9.8CVSS7.4AI score0.01223EPSS