Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
spreecommerce spree vulnerabilities and exploits
(subscribe to this query)
6.8
CVSSv2
CVE-2021-41275
spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that ...
Spreecommerce Spree Auth Devise
Spreecommerce Spree Auth Devise 4.2.0
Spreecommerce Spree Auth Devise 4.1.0
4
CVSSv2
CVE-2020-26223
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and prior to 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed...
Spreecommerce Spree
4
CVSSv2
CVE-2013-2506
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x prior to 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Spreecommerce Spree 1.1.1
Spreecommerce Spree 1.1.3
Spreecommerce Spree 1.2.1
Spreecommerce Spree 1.2.3
Spreecommerce Spree 1.1.4
Spreecommerce Spree 1.1.5
Spreecommerce Spree 1.1.6
Spreecommerce Spree 1.2.0
Spreecommerce Spree 1.3.0
Spreecommerce Spree 1.3.1
Spreecommerce Spree 1.3.2
Spreecommerce Spree 1.1.0
Spreecommerce Spree 1.1.2
Spreecommerce Spree 1.2.2
Spreecommerce Spree 1.2.4
4.3
CVSSv2
CVE-2013-1656
Spree Commerce 1.0.x up to and including 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promo...
Spreecommerce Spree 1.0.5
Spreecommerce Spree 1.0.7
Spreecommerce Spree 1.1.6
Spreecommerce Spree 1.2.1
Spreecommerce Spree 1.3.1
Spreecommerce Spree 1.0.0
Spreecommerce Spree 1.0.1
Spreecommerce Spree 1.0.2
Spreecommerce Spree 1.0.3
Spreecommerce Spree 1.2.2
Spreecommerce Spree 1.2.3
Spreecommerce Spree 1.2.4
Spreecommerce Spree 1.3.0
Spreecommerce Spree 1.1.0
Spreecommerce Spree 1.1.1
Spreecommerce Spree 1.1.2
Spreecommerce Spree 1.1.3
Spreecommerce Spree 1.1.4
Spreecommerce Spree 1.0.4
Spreecommerce Spree 1.0.6
Spreecommerce Spree 1.1.5
Spreecommerce Spree 1.2.0
5
CVSSv2
CVE-2008-7310
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote malicious users to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerabili...
Spreecommerce Spree 0.2.0
5
CVSSv2
CVE-2008-7311
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote malicious users to bypass cryptographic protection mechanisms by leveraging an application that contains this val...
Spreecommerce Spree 0.2.0
5
CVSSv2
CVE-2010-3978
Spree 0.11.x prior to 0.11.2 and 0.30.x prior to 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote malicious users to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin...
Spreecommerce Spree 0.11.0
Spreecommerce Spree 0.11.1
Spreecommerce Spree 0.30.0
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started