VYPR
Moderate severityNVD Advisory· Published Mar 8, 2013· Updated Jun 16, 2026

CVE-2013-2506

CVE-2013-2506

Description

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spree_auth_deviseRubyGems
>= 1.0.0, < 3.0.53.0.5

Affected products

16
  • Spree/Spree15 versions
    cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:*+ 14 more
    • cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:spreecommerce:spree:1.3.2:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 1.0.0, < 3.0.5

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.