We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the
ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.
Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to firstname.lastname@example.org.) Roman Smirnov (aka romul) provided the necessary fix.
The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.
We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.