We have just released several new versions of Spree which contain important security fixes. A vulnerability exists in Product Scopes that could allow for unauthenticated remote command execution. There is also a potential XSS vulnerability related to the analytics dashboard. Finally, the new releases also upgrade to the latest version of Rails which include additional security fixes which were addressed by the Rails team.
The remote command execution vulnerability is quite serious and affects all versions of Spree. You should upgrade to one of the following secure versions of Spree immediately: 0.11.4, 0.70.6, 1.0.5 or 1.1.2.
Thanks to joernchen from Phenoelit and Michael Bianco from Ascension Press for bringing these issues to our attention.
If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at firstname.lastname@example.org and we will investigate and fix the issue as quickly as possible.
Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.
Spree Versions Affected
It’s recommended that you update to v1.1.2. This contains the security fix as well as other bug and stability fixes.
See the Github compare view for the full details.
It’s recommended that you update to v1.0.5. This contains the security fix as well as other bug and stability fixes.
It’s recommended that you update to v0.70.6. This release contains only the security fix.
0.20.x – 0.60.x
It’s recommended that you update to v0.70.6. This is a fairly easy upgrade (no major changes in Rails version, etc.) and we cannot continue to support older versions of Spree indefinitely.
It’s recommended that you update to v0.11.4. This release contains only the security fix.
Spree Analytics Extension
If you are using the spree_analytics extension you need to update to 079949fd to receive the most recent security fix. If you are using Spree 1.0.x or greater the analytics is included in Spree and updating to the latest secure Spree version will take care of this for you.
Spree Commitment to Security
The Spree team remains committed to the highest standard of security in it’s software. Spree is used by thousands of stores worldwide and the source code is under constant review by the community. We believe in disclosing all security vulnerabilities to the public in a timely and responsible fashion. Thanks again to joernchen from Phenoelit and Michael Bianco from Ascension Press for working with us while we resolved this issue.