Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Spree ‘app/models/spree/user.rb’角色分配漏洞
Vulnerability Description
Spree(又名Spree Commerce)是美国Spree Commerce公司的一套基于Ruby on Rails的开源电子商务解决方案。 Spree 1.1.6之前的1.1.x版本,1.2.x版本,1.3.x版本中的spree_auth_devise中的app/models/spree/user.rb中存在漏洞,该漏洞源于更新用户时,程序没有正确执行安全的质量分配。远程认证攻击者利用该漏洞给自己分配任意角色。
CVSS Information
N/A
Vulnerability Type
N/A