CVE-2011-10019
Published: 13 August 2025
Summary
CVE-2011-10019 is a critical-severity Code Injection (CWE-94) vulnerability in Spreecommerce Spree. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2011-10019 is a remote command execution vulnerability in Spreecommerce versions prior to 0.60.2. The flaw exists in the search functionality, where the application fails to properly sanitize user input passed via the search[send][] parameter. This input is dynamically invoked using Ruby’s send method, allowing arbitrary shell commands to be executed on the server.
The vulnerability can be exploited remotely by unauthenticated attackers with network access. By submitting crafted input to the search[send][] parameter, attackers achieve arbitrary command execution on the server, granting high confidentiality, integrity, and availability impacts as scored by CVSS v3.1 at 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Associated CWEs include CWE-94 (code injection) and CWE-1321 (improperly controlled modification of dynamically-determined object attributes).
Mitigation requires upgrading to Spreecommerce 0.60.2 or later. Relevant advisories include an archived 2011 Spreecommerce blog post detailing the remote command execution in product group search, a Vulncheck advisory on the search parameter RCE, and public exploit resources such as a Metasploit module and an Exploit-DB entry.
Exploitation is well-documented in public repositories, with a dedicated Metasploit module and Exploit-DB listing confirming proof-of-concept availability since at least 2011.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-5240
Vulnerability details
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute…
more
arbitrary shell commands on the server without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE on public-facing web app via unsanitized input to Ruby send(), enabling remote unauthenticated shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to sanitize the search[send][] parameter by requiring validation of all user inputs to prevent code injection and arbitrary command execution.
Mandates timely identification, reporting, and correction of the flaw through upgrading to Spreecommerce 0.60.2 or later, eliminating the vulnerability.
Complements input sanitization by restricting the types and volume of inputs to the search functionality, reducing the risk of exploitable malformed parameters.