ADVISORIES

• CVE-2013-1656
• OSVDB-91219
• Vendor Advisory

GEM

spree

SEVERITY

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

• >= 2.0.0

DESCRIPTION

Spree contains a flaw that is triggered when handling input passed via the ‘promotion_rule’ parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.