Spreecommerce » Spree » 1.2.0 : Security Vulnerabilities, CVEs,

cpe:2.3:a:spreecommerce:spree:1.2.0:*:*:*:*:*:*:*

CVE-2013-2506

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Max CVSS
4.0
EPSS Score
0.09%
Published
2013-03-08
Updated
2013-03-18

CVE-2013-1656

Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
Max CVSS
4.3
EPSS Score
0.29%
Published
2013-03-08
Updated
2020-12-04
2 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close