CVE-2008-7310

Name of the Vulnerable Software and Affected Versions Spree version 0.2.0

Description The issue allows remote attackers to bypass the intended payment step by modifying a URL, related to a mass assignment vulnerability. This occurs because the software does not properly restrict the use of a hash to provide values for a model's attributes, enabling attackers to set the Order state value.

Recommendations For Spree version 0.2.0, restrict the use of mass assignment to prevent attackers from modifying the Order state value and bypassing the payment step. As a temporary workaround, consider restricting access to the model's attributes to minimize the risk of exploitation.