CVE-2013-1656
EPSS 0.30%Spree Improper Input Validation vulnerability
Published: 10/24/2017Modified: 12/5/2024
Also known as:GHSA-jxx8-v83v-rhw3
Description
Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) `payment_method` parameter to `core/app/controllers/spree/admin/payment_methods_controller.rb`; and the (2) `promotion_action parameter` to `promotion_actions_controller.rb`, (3) `promotion_rule parameter` to `promotion_rules_controller.rb`, and (4) `calculator_type` parameter to `promotions_controller.rb` in `promo/app/controllers/spree/admin/`, related to unsafe use of the constantize function.
Affected packages (1)
- RubyGems/spree>= 1.0.0, < 2.0.0.rc1
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-1656
- PATCHhttps://github.com/spree/spree
- WEBhttps://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2013-1656.yml
- WEBhttps://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7
- WEBhttps://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt
- WEBhttps://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- WEBhttps://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html