RubySec

Providing security resources for the Ruby community

CVE-2013-1656 (spree): Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution

ADVISORIES

GEM

spree

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • >= 2.0.0

DESCRIPTION

Spree contains a flaw that is triggered when handling input passed via the ‘promotion_rule’ parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories