---
gem: spree
osvdb: 119205
url: https://spreecommerce.com/blog/security-updates-2015-3-3
title: Spree API Information Disclosure CSRF
date: 2015-03-05
description: |
  Spree contains a flaw in the API as HTTP requests do not require multiple
  steps, explicit confirmation, or a unique token when performing certain
  sensitive actions. By tricking a user into following a specially crafted
  link, a context-dependent attacker can perform a Cross-Site Request Forgery
  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
  information to attackers.
patched_versions:
  - ~> 2.2.10
  - ~> 2.3.8
  - ~> 2.4.5
  - ">= 3.0.0.rc4"