Sha256: 895cf75e708be97b302bfb48b4389d1a9e2b28672af7dd803f153f506db62b4c

Contents?: true

Size: 652 Bytes

Versions: 6

Compression:

Stored size: 652 Bytes

Contents

---
gem: spree
osvdb: 119205
url: https://spreecommerce.com/blog/security-updates-2015-3-3
title: Spree API Information Disclosure CSRF
date: 2015-03-05
description: |
  Spree contains a flaw in the API as HTTP requests do not require multiple
  steps, explicit confirmation, or a unique token when performing certain
  sensitive actions. By tricking a user into following a specially crafted
  link, a context-dependent attacker can perform a Cross-Site Request Forgery
  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
  information to attackers.
patched_versions:
  - ~> 2.2.10
  - ~> 2.3.8
  - ~> 2.4.5
  - ">= 3.0.0.rc4"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/spree/OSVDB-119205.yml