CVE-2008-7311

EUVD-2022-3880
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Affected Products (NVD)
VendorProductVersion
spreecommercespree
0.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
http://support.spreehq.org/issues/show/63
http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
http://support.spreehq.org/issues/show/63