GHSA-jxx8-v83v-rhw3

Suggest an improvement
Source
https://github.com/advisories/GHSA-jxx8-v83v-rhw3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jxx8-v83v-rhw3/GHSA-jxx8-v83v-rhw3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jxx8-v83v-rhw3
Aliases
  • CVE-2013-1656
Published
2017-10-24T18:33:37Z
Modified
2024-02-16T08:05:41.638846Z
Summary
Spree Improper Input Validation vulnerability
Details

Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.

References

Affected packages

RubyGems / spree

Package

Name
spree
Purl
pkg:gem/spree

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
2.0.0.rc1

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.6
1.0.7
1.1.0.rc1
1.1.0.rc2
1.1.0
1.1.1
1.1.2.rc1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0.rc1
1.2.0.rc2
1.2.0
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0.rc1
1.3.0.rc2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5