Security Advisory: Spree e-commerce JSON v.0.11x

Uma versão em PDF também está disponível | A PDF version is also available

Spree e-commerce JSON Hijacking Vulnerabilities – CVE-2010-3978



Spree e-commerce is an open source commerce platform written for the Ruby on Rails framework supporting “Over 100 extensions created by our active and dedicated community”. This problem was confirmed in the following versions of the Spree e-commerce, other versions maybe also affected.

    • All 0.11.x versions


    • The upcoming code 0.30.x versions


CVSS Scoring System

The CVSS score is: 2.7

    • Base Score: 3.3


    • Temporal Score: 2.7

We used the following values to calculate the scores:

    • Base score is: AV:N/AC:L/Au:N/C:C/I:N/A:N


    • Temporal score is: E:F/RL:OF/RC:C



There are multiple JSON Hijacking vulnerabilities and as result, an attacker can steal confidential information such as product costs, price and quantities and users email, encrypted password, tokens, OpenID identifier, phone and address as well as orders count and values by period.

There are some pages within the default Spree installation that use JavaScript Object Notation (JSON) as a transport mechanism between the client and the server. As the application cannot differentiate real requests from forged requests, and the JSON object returned can be accessed by the attacker’s malicious code via a script tag, those pages are vulnerable to an attack known as JSON Hijacking.

The affected pages are:

– /admin/products.json

– /admin/users.json

– /admin/overview/get_report_data

Proof of concept exploitation code is available to interested parties.


The vulnerability described in this security advisory was discovered by Gabriel Quadros on October 1st 2010 during a internal security research.

Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+
About author


A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application SecurityNews

The Amazing Electrosphere

In the daily journey of security analysts, when performing intrusion tests, some steps end up being…
Read more
Application SecurityCode FightersNews

Research: CVE-2021-43076 and the Risks Caused by Insecure Design

In the latest edition of OWASP TOP 10 Vulnerabilities 2021, some new categories were introduced in…
Read more
Application SecurityCode FightersNews

Case Study: Plone CVE-2021-33512 and Threat Modeling with Conviso Platform

An internal project by Conviso’s Consulting team, called ConsultingLabs, was created with the…
Read more

Deixe um comentário