Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CSRF forgery protection bypass for Spree::OrdersController#populate
Vulnerability Description
`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Solidus 跨站请求伪造漏洞
Vulnerability Description
Solidus是一套开源的电子商务系统。 Solidus 存在跨站请求伪造漏洞,该漏洞源于 Add to cart 操作中没有进行有效的验证。该漏洞允许恶意站点在用户不知情的情况下将商品添加到用户的购物车中。
CVSS Information
N/A
Vulnerability Type
N/A