CVE-2013-2506
Severity CVSS v4.0:
Pending analysis
Type:
CWE-264
Permissions, Privileges, and Access Control
Publication date:
08/03/2013
Last modified:
11/04/2025
Description
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Impact
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.1.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.2.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.2.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:spreecommerce:spree:1.3.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65