VYPR
Moderate severityNVD Advisory· Published Nov 17, 2010· Updated Jun 16, 2026

CVE-2010-3978

CVE-2010-3978

Description

Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spreeRubyGems
>= 0.11.0, < 0.11.20.11.2
spreeRubyGems
>= 0.30.0.beta1, < 0.30.00.30.0

Affected products

4
  • Spree/Spree3 versions
    cpe:2.3:a:spreecommerce:spree:0.11.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:spreecommerce:spree:0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:0.30.0:beta1:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 0.11.0, < 0.11.2

Patches

Vulnerability mechanics

References

16

News mentions

0

No linked articles in our index yet.