CVE-2013-1656 (spree): Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution

February 21st, 2013

ADVISORIES

CVE-2013-1656 (NVD)
OSVDB-91219
Vendor Advisory

GEM

spree

SEVERITY

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

>= 2.0.0

DESCRIPTION

Spree contains a flaw that is triggered when handling input passed via the ‘promotion_rule’ parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.

RubySec

CVE-2013-1656 (spree): Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

Recent Advisories