CVE-2008-7311

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
spreecommercespree
0.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
http://support.spreehq.org/issues/show/63
http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
http://support.spreehq.org/issues/show/63