CVE-2008-7310

Published: Apr 5, 2012Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.

Affected (1)

Products: Spreecommerce: Spree

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Spreecommerce Spree	Version 0.2.0

Related CWEs

References (4)

http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment

Source: cve@mitre.org

http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/

Source: cve@mitre.org

Vendor Advisory

http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment

Source: af854a3a-2127-422b-91ae-364da2661108

http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.