Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
Security readout for executives and security teams
Plain-English summary
CVE-2011-10019 is a critical unauthenticated remote command execution issue in old Spreecommerce releases before 0.60.2. A vulnerable store could allow an internet attacker to run commands on the server through the search feature. Treat any legacy Spreecommerce storefront or fork as urgent until version and patch status are confirmed.
Executive priority
Handle as an urgent legacy-application risk. A vulnerable internet-facing store could become a full server compromise, and public exploit material increases operational urgency even without confirmed active exploitation evidence in the bundle.
Technical view
The issue is in Spreecommerce search handling, where input to the search[send][] parameter is dynamically invoked through Ruby send without proper sanitization. Sources describe arbitrary shell command execution without authentication. The record lists CVSS 4.0 score 10 and CWE-1321/CWE-94. Affected-version metadata is sparse, but the description identifies versions before 0.60.2.
Likely exposure
Exposure is most likely in legacy Spreecommerce deployments, abandoned storefronts, or forks based on versions before 0.60.2. The source bundle provides no CPEs and marks default status unknown, so asset inventory and application dependency review are required.
Exploitation context
Public exploit references exist, including Metasploit and Exploit-DB entries. The bundle does not identify CISA KEV listing or any cited evidence of active exploitation, so active exploitation should not be assumed from these sources alone.
Researcher notes
Focus validation on version provenance and search parameter handling. The affected record lacks CPE coverage and has sparse version metadata, so researchers should cross-check vendor advisory details, local code lineage, and dependency history before declaring assets unaffected.
Mitigation direction
Upgrade affected Spreecommerce installations to 0.60.2 or later per vendor guidance.
Identify and retire unsupported legacy Spreecommerce storefronts and forks.
Review the archived vendor advisory before changing production systems.
Prioritize internet-facing stores and administrative environments first.
Monitor vendor and project channels for any additional guidance.
Validation and detection
Inventory all Spreecommerce applications, including forks and archived storefronts.
Confirm each deployment version is 0.60.2 or later.
Review application logs for suspicious search[send][] parameter activity.
Verify public routes using non-destructive request review only.
Document uncertainty where version or fork lineage cannot be proven.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1321: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1321 · source CWE mapping
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.