Описание
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
Ссылки
- Product
- ExploitThird Party Advisory
- Release Notes
- ExploitVDB Entry
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.60.2 (исключая)
cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.6931
Средний
9.8 Critical
CVSS3
Дефекты
CWE-94
CWE-1321
Связанные уязвимости
CVSS3: 9.8
github
6 месяцев назад
Spree has Remote Command Execution vulnerability in search functionality
EPSS
Процентиль: 99%
0.6931
Средний
9.8 Critical
CVSS3
Дефекты
CWE-94
CWE-1321