Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Spree Commerce 任意命令执行漏洞
Vulnerability Description
Spree Commerce(又名Spree)是美国Spree Commerce公司的一套基于Ruby on Rails的开源电子商务解决方案。 Spree Commerce 1.0.x至1.3.2版本中存在漏洞。通过与不安全使用‘constantize’函数有关的(1)payment_method参数传送到core/app/controllers/spree/admin/payment_methods_controller.rb;在promo/app/controllers/spree/admin/目录
CVSS Information
N/A
Vulnerability Type
N/A