VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-3978
spree: Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3978

Original

Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-11-17
Source Information Category:
Advisory, Alert
Last Updated:
2010-11-18




Affected Product Tags
cpe:/a:spreecommerce:spree:0.11.0
cpe:/a:spreecommerce:spree:0.11.1
cpe:/a:spreecommerce:spree:0.30.0:beta1
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
Medium [?]
X Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
Single [?]
X None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
Alternatives




References
BUGTRAQ 20101108 Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978




CONFIRM http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/




CONFIRM https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135




CONFIRM https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac




CONFIRM http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/




MISC http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/




MISC http://www.conviso.com.br/json-hijacking-vulnerability/




MISC http://twitter.com/conviso/statuses/29555076248




Vulnerability Type Information Leak / Disclosure (CWE-200)




Copyright © 2010 JPCERT/CC All Rights Reserved.