CVE DATABASE / CVE-2008-7310
CVE-2008-7310
CVSS 5 · MEDIUM
Summary
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.
CVSS 2.0 breakdown
| Base score | 5 (MEDIUM) |
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Confidentiality | NONE |
| Integrity | PARTIAL |
| Availability | NONE |
Weakness type (CWE)
Affected products
Spreecommerce spree
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment
- http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/
Data: NIST NVD. NVD last modified 2026-04-29. Always verify against the vendor advisory before acting.