RubySec

Providing security resources for the Ruby community

CVE-2010-3978 (spree): Spree Multiple Script JSON Request Validation Weakness Remote Information Disclosure

ADVISORIES

GEM

spree

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • ~> 0.11.2
  • >= 0.30.0

DESCRIPTION

Spree contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the application exchanges data using the JSON service without validating requests, which will disclose sensitive user and order information to a context-dependent attacker when a logged-in user visits a crafted website.