RubySec

Providing security resources for the Ruby community

OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote command execution

ADVISORIES

GEM

spree

PATCHED VERSIONS

  • ~> 0.11.4
  • ~> 0.70.6
  • ~> 1.0.5
  • >= 1.1.2

DESCRIPTION

Product Scopes could allow for unauthenticated remote command execution. This was corrected by removing conditions_any scope and use ARel query building instead.