ADVISORIES

• OSVDB-125712
• Vendor Advisory

GEM

spree

PATCHED VERSIONS

• ~> 0.11.4
• ~> 0.70.6
• ~> 1.0.5
• >= 1.1.2

DESCRIPTION

Product Scopes could allow for unauthenticated remote command execution. This was corrected by removing conditions_any scope and use ARel query building instead.

RELATED

• https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions
• https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20034