CVE-2013-1656

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

08/03/2013

Last modified:

11/04/2025

Description

Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.

Impact

Vector 2.0

AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS v2.0 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Medium
Authentication (Au): None
Confidentiality (C): None
Integrity (I): Physical
Availability (A): None

Base Score 2.0

4.30

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:spreecommerce:spree::::::::		1.3.2 (including)
cpe:2.3:a:spreecommerce:spree:1.0.0:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.1:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.2:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.3:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.4:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.5:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.6:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.7:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.0:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.1:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.2:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.3:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.4:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.5:::::::*

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:a:spreecommerce:spree::::::::		1.3.2 (including)
cpe:2.3:a:spreecommerce:spree:1.0.0:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.1:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.2:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.3:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.4:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.5:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.6:::::::*
cpe:2.3:a:spreecommerce:spree:1.0.7:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.0:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.1:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.2:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.3:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.4:::::::*
cpe:2.3:a:spreecommerce:spree:1.1.5:::::::*

CVE-2013-1656

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools