OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote command execution

Product Scopes could allow for unauthenticated remote command execution

Published: July 02, 2012

SECURITY IDENTIFIERS

OSVDB: OSVDB-125712
Vendor Advisory: https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions

GEM

spree

PATCHED VERSIONS

~> 0.11.4 ~> 0.70.6 ~> 1.0.5 >= 1.1.2

DESCRIPTION

Product Scopes could allow for unauthenticated remote command execution. This was corrected by removing conditions_any scope and use ARel query building instead.

https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions
https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20034

RubySec

OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote command execution

Product Scopes could allow for unauthenticated remote command execution

SECURITY IDENTIFIERS

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories