Spree contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the application exchanges data using the JSON service without validating requests, which will disclose sensitive user and order information to a context-dependent attacker when a logged-in user visits a crafted website.