Description
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.
References (2)
Core 2
Core References
Issue Tracking x_refsource_confirm
http://support.spreehq.org/issues/show/63
Vendor Advisory x_refsource_confirm
http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
Scores
EPSS
0.0016
EPSS Percentile
36.2%
Details
CWE
CWE-255
Status
published
Products (2)
rubygems/spree
0 - 0.4.0RubyGems
spreecommerce/spree
0.2.0
Published
Apr 05, 2012
Tracked Since
Feb 18, 2026