spree (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package spree, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2011-10019 — CVSS 9.8 (critical): Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails…
CVE-2011-10026 — CVSS 9.8 (critical): Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input…
CVE-2020-15269 — CVSS 7.4 (high): In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is…
CVE-2010-3978 — CVSS 5.0 (medium): Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for…
CVE-2008-7310 — CVSS 5.0 (medium): Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set…
CVE-2008-7311 — CVSS 5.0 (medium): The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which…
CVE-2013-1656 — CVSS 4.3 (medium): Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary…