4
CVSSv2

CVE-2013-2506

Published: 08/03/2013 Updated: 18/03/2013
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
VMScore: 356
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Vulnerability Summary

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x prior to 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

Affected Products

Vendor Product Versions
SpreecommerceSpree1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2