OSVDB-125713 (spree): Potential XSS vulnerability related to the analytics dashboard

July 2nd, 2012

ADVISORIES

OSVDB-125713
Vendor Advisory

GEM

PATCHED VERSIONS

~> 0.11.4
~> 0.70.6
~> 1.0.5
>= 1.1.2

DESCRIPTION

Spree has a flaw in its analytics dashboard where keywords are not escaped, leading to potential XSS.

RELATED

https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions