Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authentication Bypass by CSRF Weakness
Vulnerability Description
solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Solidus 跨站请求伪造漏洞
Vulnerability Description
Solidus是一套开源的电子商务系统。 Solidus Solidus_auth_devise 中存在跨站请求伪造漏洞,该漏洞源于产品缺少CSRF验证。攻击者可通过该漏洞向服务端发送非预期的请求。
CVSS Information
N/A
Vulnerability Type
N/A