CVE-2011-10026

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spreecommerce versions prior to 0.50.x

Description The software contains a remote command execution issue in the API’s search functionality. Insufficient input validation allows attackers to inject arbitrary shell commands through the search[instance eval] parameter. This parameter is dynamically invoked using Ruby’s send method. This allows unauthenticated attackers to execute commands on the server.

Recommendations Update to version 0.50.x or later.

Exploit

Fix

Code Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-78

Related Identifiers

CVE-2011-10026

GHSA-X485-RHG3-CQR4

Affected Products

Spree Commerce

CVE-2011-10026

Weakness Enumeration

Related Identifiers

Affected Products

References · 10