Arbitrary Command Execution Affecting spree Open this link in a new tab package, versions < 0.60.2
Attack Complexity
Low
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-RUBY-SPREE-20019
-
published
4 Oct 2011
-
disclosed
4 Oct 2011
-
credit
joernchen
Introduced: 4 Oct 2011
CWE-77 Open this link in a new tabOverview
Spree
is an open source e-commerce framework for Ruby on Rails.
Details
The ProductScope
class fails to properly sanitize user-supplied input via the search[send][]
parameter resulting in arbitrary command execution. With a specially crafted request, a remote attacker can potentially cause arbitrary command execution.