CVE-2011-10019
published 2025-08-13CVE-2011-10019: Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.82%
88.7th percentile
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spree | spree | >= 0 < 0.60.2 | 0.60.2 |
| spreecommerce | spree | < 0.60.2 | 0.60.2 |
| spreecommerce | spreecommerce | < 0.60.2 | 0.60.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →A Metasploit module exists for this vulnerability targeting Spreecommerce 0.60.1; look for exploit framework signatures or payloads associated with the module path exploits/multi/http/spree_search_exec. ↗
- ·The vulnerability affects Spreecommerce versions prior to 0.60.2 only; patched versions are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spree has Remote Command Execution vulnerability in search functionality
ghsa·2025-08-13
CVE-2011-10019 [CRITICAL] CWE-1321 Spree has Remote Command Execution vulnerability in search functionality
Spree has Remote Command Execution vulnerability in search functionality
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
OSV
Spree has Remote Command Execution vulnerability in search functionality
osv·2025-08-13
CVE-2011-10019 [CRITICAL] Spree has Remote Command Execution vulnerability in search functionality
Spree has Remote Command Execution vulnerability in search functionality
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
No detection rules found.
No writeups or analysis indexed.
https://github.com/orgs/spreehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rbhttps://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/https://www.exploit-db.com/exploits/17941https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce
2025-08-13
Published