Moderate severityNVD Advisory· Published Mar 8, 2013· Updated Apr 29, 2026

CVE-2013-2506

Description

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
spree_auth_deviseRubyGems	>= 1.0.0, < 3.0.5	3.0.5

Affected products

Spreecommerce/Spree15 versions
cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:spreecommerce:spree:1.3.2:*:*:*:*:*:*:*

Patches

038d74771d3b

Remove Mass Assignment of Role IDs

https://github.com/spree/spree_auth_deviseJohn DyerFeb 22, 2013via ghsa

commit

3 files changed · +47 −1

app/controllers/spree/admin/users_controller.rb+41 −0 modified

@@ -16,6 +16,47 @@ def index
         end
       end
 
+      def create
+        if params[:user]
+          roles = params[:user].delete("spree_role_ids")
+        end
+
+        @user = Spree::User.new(params[:user])
+        if @user.save
+
+          if roles
+            @user.spree_roles = roles.reject(&:blank?).collect{|r| Spree::Role.find(r)}
+          end
+
+          flash.now[:notice] = t(:created_successfully)
+          render :edit
+        else
+          render :new
+        end
+      end
+
+      def update
+        if params[:user]
+          roles = params[:user].delete("spree_role_ids")
+        end
+
+        if @user.update_attributes(params[:user])
+          if roles
+            @user.spree_roles = roles.reject(&:blank?).collect{|r| Spree::Role.find(r)}
+          end
+
+          if params[:user][:password].present?
+            # this logic needed b/c devise wants to log us out after password changes
+            user = Spree::User.reset_password_by_token(params[:user])
+            sign_in(@user, :event => :authentication, :bypass => !Spree::Auth::Config[:signout_after_password_change])
+          end
+          flash.now[:notice] = t(:account_updated)
+          render :edit
+        else
+          render :edit
+        end
+      end
+
       def generate_api_key
         if @user.generate_spree_api_key!
           flash.notice = t('key_generated', :scope => 'spree.api')

app/models/spree/user.rb+1 −1 modified

@@ -14,7 +14,7 @@ class User < ActiveRecord::Base
     before_destroy :check_completed_orders
 
     # Setup accessible (or protected) attributes for your model
-    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login, :spree_role_ids
+    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login
 
     users_table_name = User.table_name
     roles_table_name = Role.table_name

spec/controllers/spree/users_controller_spec.rb+5 −0 modified

@@ -3,6 +3,7 @@
 describe Spree::UsersController do
   let(:admin_user) { create(:user) }
   let(:user) { create(:user) }
+  let(:role) { create(:role) }
 
   before do
     controller.stub(:spree_current_user => user)
@@ -23,5 +24,9 @@
         response.should redirect_to(spree.account_url(:only_path => true))
       end
     end
+
+    it 'should not update roles' do
+      expect { spree_put :update, { :user => { :spree_role_ids => [role.id] } }}.to raise_exception(ActiveModel::MassAssignmentSecurity::Error)
+    end
   end
 end

fda3ab9fb536

Fix roles association references in admin/users/_roles.html.erb partial and in user model attr_accessible

https://github.com/spree/spree_auth_deviseRyan BiggJun 20, 2012via ghsa

commit

2 files changed · +3 −3

app/models/spree/user.rb+1 −1 modified

@@ -14,7 +14,7 @@ class User < ActiveRecord::Base
     before_destroy :check_completed_orders
 
     # Setup accessible (or protected) attributes for your model
-    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login, :role_ids
+    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login, :spree_role_ids
 
     users_table_name = User.table_name
     roles_table_name = Role.table_name

app/views/spree/admin/users/_roles.html.erb+2 −2 modified

@@ -3,10 +3,10 @@
     <%= label_tag nil, t(:roles) %><br />
     <% @roles.each do |role| %>
       <label class="sub">
-        <%= check_box_tag 'user[role_ids][]', role.id, @user.spree_roles.include?(role), :id => "user_role_#{role.name}" %>
+        <%= check_box_tag 'user[spree_role_ids][]', role.id, @user.spree_roles.include?(role), :id => "user_spree_role_#{role.name}" %>
         <%= role.name %>
       </label> &nbsp;
     <% end %>
-    <%= hidden_field_tag 'user[role_ids][]', '' %>
+    <%= hidden_field_tag 'user[spree_role_ids][]', '' %>
   </p>
 </div>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000