CVE Vulnerabilities

CVE-2013-2506

Published: Mar 08, 2013 | Modified: Apr 11, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

Affected Software

Name Vendor Start Version End Version
Spree Spreecommerce 1.1.0 (including) 1.1.0 (including)
Spree Spreecommerce 1.1.1 (including) 1.1.1 (including)
Spree Spreecommerce 1.1.2 (including) 1.1.2 (including)
Spree Spreecommerce 1.1.3 (including) 1.1.3 (including)
Spree Spreecommerce 1.1.4 (including) 1.1.4 (including)
Spree Spreecommerce 1.1.5 (including) 1.1.5 (including)
Spree Spreecommerce 1.1.6 (including) 1.1.6 (including)
Spree Spreecommerce 1.2.0 (including) 1.2.0 (including)
Spree Spreecommerce 1.2.1 (including) 1.2.1 (including)
Spree Spreecommerce 1.2.2 (including) 1.2.2 (including)
Spree Spreecommerce 1.2.3 (including) 1.2.3 (including)
Spree Spreecommerce 1.2.4 (including) 1.2.4 (including)
Spree Spreecommerce 1.3.0 (including) 1.3.0 (including)
Spree Spreecommerce 1.3.1 (including) 1.3.1 (including)
Spree Spreecommerce 1.3.2 (including) 1.3.2 (including)

References