05 Feb '13, 12am
Important security update which affects all versions Spree 1.0.x or greater.
Exploits found within Core and API Posted January 31, 2013 by Ryan Bigg Comments Please upgrade your Spree stores now to their latest gem versions 1.3.2, 1.2.4, 1.1.5 or 1.0.7. Thanks to the work of Egor Homakov , we have located and patched two serious exploits within Spree. The first allows a user to authenticate as a random user to the API , which could potentially lead them to authenticating as an admin user for the store. The second allows them to issue a Denial of Service attack against the store using an especially crafted URL . We have patched the 1-0-stable, 1-1-stable, 1-2-stable, 1-3-stable and master branches for Spree, as well as released new gem versions for the stable branches. We strongly advise all Spree stores to upgrade to their latest gem versions so that they are not affected by these exploits.