CVE-2008-7310

UNKNOWN

Spree 0

Published Apr 4, 2012

Modified 1 years ago

No fix available

Details

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.

References

WEBhttp://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment WEBhttp://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2008-7310

CVSS Analysis

CVSS v2.0

5.0

Exploitability

Access Vector

NetworkAV:N

Access Complexity

LowAC:L

Authentication

NoneAu:N

Impact

Confidentiality

NoneC:N

Integrity

PartialI:P

Availability

NoneA:N

5/AV:N/AC:L/Au:N/C:N/I:P/A:N

Ecosystems

Timeline

PublishedApr 4, 2012

ModifiedSep 16, 2024