12 matches found
CVE-2013-1656
CVE-2013-1656 affects Spree Commerce 1.0.x through 1.3.2, where remote authenticated administrators could instantiate arbitrary Ruby objects and execute commands via parameters (payment_method, promotion_action, promotion_rule, calculator_type) due to unsafe use of constantize in admin controller...
CVE-2020-26223
The CVE-2020-26223 issue affects Spree (Ruby on Rails) versions 3.7 and earlier than 3.7.13, 4.0.5, and 4.1.12, where an authorization bypass allows querying the API v2 Order Status endpoint with an empty string as the Order token. The vulnerability is mitigated by patches in 3.7.11, 4.0.4, and 4...
CVE-2008-7311
CVE-2008-7311 concerns the Spree 0.2.0 session cookie store, which uses a hardcoded config.action_controller_session hash (secret key). This weak key material can allow remote attackers to bypass cryptographic protections by exploiting an application that contains this value in config/environment...
CVE-2010-3978
Spree CVE-2010-3978 affects Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0. The issue is a JSON hijacking vulnerability where the application exchanges data via JSON without validating requests, enabling remote attackers to obtain sensitive information via admin endpoints: /admin/products.js...
CVE-2008-7310
CVE-2008-7310 involves Spree 0.2.0 where improper mass assignment allows an attacker to manipulate a hash to set the Order state via a modified URL, bypassing the intended payment step. The core issue is inadequate restrictions on model attribute assignment, enabling remote modification of order ...
CVE-2013-2506
The CVE-2013-2506 vulnerability affects spree_auth_devise within Spree 1.1.x (before 1.1.6) and in 1.2.x and 1.3.x, where app/models/spree/user.rb does not perform mass assignment safely during user updates. This allows remote authenticated users to assign arbitrary roles to themselves, indicatin...
CVE-2011-10019
Spreecommerce before 0.60.2 is vulnerable to remote command execution via the search[send][] input, which is dynamically invoked using Ruby’s send method and not properly sanitized. This allows an unauthenticated attacker to execute arbitrary shell commands on the server. Affected component: sear...
CVE-2011-10026
The CVE-2011-10026 issue affects Spreecommerce versions prior to 0.50.x, where the API search endpoint is vulnerable to remote command execution. The root cause is improper input sanitation that allows injection of arbitrary shell commands via the search[instance_eval] parameter, which is dynamic...
CVE-2026-22588
Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...
CVE-2026-25757
Spree (Ruby on Rails) is affected prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. The root cause is that the OrdersController#show endpoint allows unauthenticated access to view completed guest orders by Order ID, and authorize_access does not enforce proper authorization for guest orders. Thi...
CVE-2026-22589
CVE-2026-22589 affects Spree (Rails e-commerce); unauthenticated IDOR allows access to guest address data. Affected: Spree versions before 4.10.2, 5.0.7, 5.1.9, and 5.2.5. Patch/mitigation: upgrade to 4.10.2+, 5.0.7+, 5.1.9+, or 5.2.5+. Root cause cited as faulty authorization (CanCanCan) leading...
CVE-2026-25758
CVE-2026-25758 is a high-severity IDOR in Spree Commerce’s guest checkout that lets an attacker bind arbitrary guest addresses to an order by manipulating plain address_id parameters. The issue bypasses ownership validation because guest orders have nil user_id, rendering the checks in address_bo...