CVE-2013-2506

Severity

40%

Complexity

80%

Confidentiality

48%

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

CVSS 2.0 Base Score 4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N).

Overview

Type

spreecommerce Spree

First reported 11 years ago

2013-03-08 18:55:00

Last updated 11 years ago

2013-03-18 04:00:00

Affected Software

spreecommerce Spree 1.1.0

1.1.0

spreecommerce Spree 1.1.1

1.1.1

spreecommerce Spree 1.1.2

1.1.2

spreecommerce Spree 1.1.3

1.1.3

spreecommerce Spree 1.1.4

1.1.4

spreecommerce Spree 1.1.5

1.1.5

spreecommerce Spree 1.1.6

1.1.6

spreecommerce Spree 1.2.0

1.2.0

spreecommerce Spree 1.2.1

1.2.1

spreecommerce Spree 1.2.2

1.2.2

spreecommerce Spree 1.2.3

1.2.3

spreecommerce Spree 1.2.4

1.2.4

spreecommerce Spree 1.3.0

1.3.0

spreecommerce Spree 1.3.1

1.3.1

spreecommerce Spree 1.3.2

1.3.2

References

http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

Vendor Advisory

https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.