CVE-2013-2506

Name of the Vulnerable Software and Affected Versions Spree versions 1.1.x through 1.1.5 Spree versions 1.2.x Spree versions 1.3.x

Description The issue arises from unsafe mass assignment when updating a user, allowing remote authenticated users to assign arbitrary roles to themselves. This is due to a problem in the app/models/spree/user.rb file in spree auth devise.

Recommendations For Spree versions 1.1.x through 1.1.5, update to version 1.1.6 or later. For Spree versions 1.2.x and 1.3.x, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to user role assignments to prevent exploitation.