CVE-2011-10019

Exploit

EPSS 3.82%
Veröffentlicht 13.08.2025 20:53:33
Zuletzt bearbeitet 24.09.2025 00:31:10
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Spreecommerce < 0.60.2 Search Parameter RCE

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Spreecommerce ≫ Spree Version < 0.60.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.82%	0.887

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb

Third Party Advisory

Exploit

https://www.exploit-db.com/exploits/17941

Exploit

VDB Entry

https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/

Release Notes

https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce

Third Party Advisory

https://github.com/orgs/spree

Product

https://nvd.nist.gov/vuln/detail/CVE-2011-10019

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2011-10019

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2011-10019

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2011-10019