QwikSec

Security Database

CVE

CWE

Training

CVE-2011-10019

Published: Aug 13, 2025

Modified: May 15, 2026

PUBLISHED

Description

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

Vendor	Product	Versions
Spreecommerce	Spreecommerce	affected `0 - < 0.60.2`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb

exploit

https://www.exploit-db.com/exploits/17941

exploit

https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/

vendor-advisory

patch

https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce

third-party-advisory

https://github.com/orgs/spree

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.