Combined OSVDB-91216.yml, OSVDB-91217.yml, OSVDB-91218.yml, OSVDB-91219.yml into CVE-2013-1656.yml.

Author: postmodern

gems/spree/CVE-2013-1656.yml

@@ -1,17 +1,23 @@
 ---
 gem: spree
 cve: 2013-1656
-osvdb: 91217
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
+url: https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection-vulnerabilities-cve-2013-1656
+title: Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution
 date: 2013-02-21
 description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'payment_method' parameter to payment_methods_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
+  Spree Commerce 1.0.x through 1.3.2 allows remote authenticated
+  administrators to instantiate arbitrary Ruby objects and executd
+  arbitrary commands via the
+  (1) payment_method parameter to core/app/controllers/spree/admin/
+      payment_methods_controller.rb; and the
+  (2) promotion_action parameter to promotion_actions_controller.rb,
+  (3) promotion_rule parameter to promotion_rules_controller.rb, and
+  (4) calculator_type parameter to promotions_controller.rb in
+      promo/app/controllers/spree/admin/, related to unsafe use
+      of the constantize function.
 cvss_v2: 4.3
 patched_versions:
-- '>= 2.0.0'
+ - '>= 2.0.0'
+related:
+ url:
+  - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed