Vulnerability Database
299,751
Total vulnerabilities in the database
CVE-2013-2506
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
| Software | From | Fixed in |
|---|---|---|
| spreecommerce / spree | 1.2.3 | 1.2.3.x |
| spreecommerce / spree | 1.3.2 | 1.3.2.x |
| spreecommerce / spree | 1.1.2 | 1.1.2.x |
| spreecommerce / spree | 1.3.1 | 1.3.1.x |
| spreecommerce / spree | 1.1.1 | 1.1.1.x |
| spreecommerce / spree | 1.2.4 | 1.2.4.x |
| spreecommerce / spree | 1.2.1 | 1.2.1.x |
| spreecommerce / spree | 1.3.0 | 1.3.0.x |
| spreecommerce / spree | 1.1.6 | 1.1.6.x |
| spreecommerce / spree | 1.2.0 | 1.2.0.x |
| spreecommerce / spree | 1.1.4 | 1.1.4.x |
| spreecommerce / spree | 1.2.2 | 1.2.2.x |
| spreecommerce / spree | 1.1.3 | 1.1.3.x |
| spreecommerce / spree | 1.1.5 | 1.1.5.x |
| spreecommerce / spree | 1.1.0 | 1.1.0.x |
spree_auth_devise
|
1.0.0 | 3.0.5 |
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
- https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
- https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime