CVE-2011-10019
Published: 13 August 2025
Summary
CVE-2011-10019 is a critical-severity Code Injection (CWE-94) vulnerability in Spreecommerce Spree. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the failure to sanitize the search[send][] parameter by requiring validation of all user inputs to prevent code injection and arbitrary command execution.
Mandates timely identification, reporting, and correction of the flaw through upgrading to Spreecommerce 0.60.2 or later, eliminating the vulnerability.
Complements input sanitization by restricting the types and volume of inputs to the search functionality, reducing the risk of exploitable malformed parameters.
NVD Description
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute…
more
arbitrary shell commands on the server without authentication.
Deeper analysisAI
CVE-2011-10019 is a remote command execution vulnerability in Spreecommerce versions prior to 0.60.2. The flaw exists in the search functionality, where the application fails to properly sanitize user input passed via the search[send][] parameter. This input is dynamically invoked using Ruby’s send method, allowing arbitrary shell commands to be executed on the server.
The vulnerability can be exploited remotely by unauthenticated attackers with network access. By submitting crafted input to the search[send][] parameter, attackers achieve arbitrary command execution on the server, granting high confidentiality, integrity, and availability impacts as scored by CVSS v3.1 at 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Associated CWEs include CWE-94 (code injection) and CWE-1321 (improperly controlled modification of dynamically-determined object attributes).
Mitigation requires upgrading to Spreecommerce 0.60.2 or later. Relevant advisories include an archived 2011 Spreecommerce blog post detailing the remote command execution in product group search, a Vulncheck advisory on the search parameter RCE, and public exploit resources such as a Metasploit module and an Exploit-DB entry.
Exploitation is well-documented in public repositories, with a dedicated Metasploit module and Exploit-DB listing confirming proof-of-concept availability since at least 2011.
Details
- CWE(s)