Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
The application does not properly sanitize input data passed through the search[send][] parameter. The value of this parameter is dynamically invoked using Ruby's send method, which allows an attacker to specify the name of any method or command to execute. The lack of input validation and filtering enables direct execution of system commands on the server without requiring any privileges.
An attacker can execute arbitrary shell commands on the server without authentication, leading to complete system compromise, data breach, and potential lateral movement within the internal network.
Spreecommerce Spree should be updated to version 0.60.2 or newer, in which the vulnerability has been removed. According to the references, patch details are available in the official producer blog and in the project repository.
Spreecommerce Spree in versions earlier than 0.60.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSpreecommerce Spree
APPSpreecommerce< 0.60.2
Related vulnerabilities
RCE via command injection w API wyszukiwania Spreecommerce Spree
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in ...
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, ...
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, ...
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and be...