CVE-2013-1656

Name of the Vulnerable Software and Affected Versions Spree Commerce versions 1.0.x through 1.3.2 Spree Commerce versions 1.0.x before 2.0.0.rc1

Description The issue allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands. This is related to the unsafe use of the constantize function in several parameters, including payment method to core/app/controllers/spree/admin/payment methods controller.rb, promotion action parameter to promotion actions controller.rb, promotion rule parameter to promotion rules controller.rb, and calculator type parameter to promotions controller.rb in promo/app/controllers/spree/admin/.

Recommendations For Spree Commerce versions 1.0.x through 1.3.2, consider disabling the vulnerable parameters payment method, promotion action, promotion rule, and calculator type until a patch is available. For Spree Commerce versions 1.0.x before 2.0.0.rc1, consider disabling the vulnerable parameters payment method, promotion action, promotion rule, and calculator type until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.