Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oOXdxLXhjcXgtbXF4bc4AA0m0
Vendure Cross Site Request Forgery vulnerability impacting all API requests
Impact
Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
authorization. By default the Cookie settings are insecure, having the SameSite setting as false
which results in not having one (originates from the cookie-session npm package’s default
settings).
Patches
In progress
Workarounds
Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.
References
Are there any links users can visit to find out more?
Permalink: https://github.com/advisories/GHSA-h9wq-xcqx-mqxmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oOXdxLXhjcXgtbXF4bc4AA0m0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-h9wq-xcqx-mqxm
References:
- https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm
- https://github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81
- https://github.com/advisories/GHSA-h9wq-xcqx-mqxm
Blast Radius: 0.0
Affected Packages
npm:@vendure/core
Dependent packages: 160Dependent repositories: 72
Downloads: 15,092 last month
Affected Version Ranges: < 2.0.3
Fixed in: 2.0.3
All affected versions: 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.3, 0.3.4, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.4, 0.6.5, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.3, 0.12.5, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 2.0.0, 2.0.1, 2.0.2
All unaffected versions: 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3