Home > Vulnerability Database > CVE-2010-3978

Mend.io Vulnerability Database

CVE-2010-3978

Good to know:

Date: November 17, 2010

Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.

Language: Python

Severity Score

5.3

Related Resources (17)

Url: http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x/

Url: http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability

Url: https://nvd.nist.gov/vuln/detail/CVE-2010-3978

Url: https://spreecommerce.com/blog/json-hijacking-vulnerability

Url: https://github.com/railsdog/spree/commit/d881b2bb610ea33e2364ff16feb8e702dfeda135

Url: http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released

Url: http://www.conviso.com.br/json-hijacking-vulnerability/

Url: http://www.conviso.com.br/json-hijacking-vulnerability

Url: http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2010-3978.yml

Url: http://twitter.com/conviso/statuses/29555076248

Url: http://www.conviso.com.br/security-advisory-spree-e-commerce-json-v-0-11x

Url: https://github.com/railsdog/spree/commit/19944bd999c310d9b10d16a41f48ebac97dc4fac

Url: https://github.com/spree/spree

Url: http://www.securityfocus.com/archive/1/514674/100/0/threaded

Url: http://spreecommerce.com/blog/2010/11/09/spree-0-30-0-released/

Url: https://www.mend.io/vulnerability-database/CVE-2010-3978

Severity Score

5.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version 0.11.2,0.30.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2010-3978

Good to know:

Date: November 17, 2010

Language: Python

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?