CVE-2011-10019

Summary

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

Affected Software

VendorProductVersion RangeStatus
SpreecommerceSpreecommerce0 < 0.60.2affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
  • CWE-1321: CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References