CVE-2010-3978

Name of the Vulnerable Software and Affected Versions Spree versions 0.11.x through 0.11.1 Spree versions 0.30.x before 0.30.0

Description The issue allows remote attackers to obtain sensitive information via vectors involving API endpoints such as "admin/products.json", "admin/users.json", or "admin/overview/get report data", related to a "JSON hijacking" issue. This occurs because the software exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests.

Recommendations For Spree versions 0.11.x through 0.11.1, update to version 0.11.2 or later. For Spree versions 0.30.x before 0.30.0, update to version 0.30.0 or later. As a temporary workaround, consider restricting access to the API endpoints "admin/products.json", "admin/users.json", and "admin/overview/get report data" to minimize the risk of exploitation.