Vendure Cross Site Request Forgery vulnerability impacting all API requests

2023-07-1122:46:19

GitHub Advisory Database

github.com

2459

vendure

csrf

vulnerability

cookie settings

api

authorization

samesite

insecure

patch

workaround

configuration option

software

JSON

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
authorization. By default the Cookie settings are insecure, having the SameSite setting as false
which results in not having one (originates from the cookie-session npm package’s default
settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.

References

Are there any links users can visit to find out more?

Affected configurations

Vulners

Node

vendurecoreRange<2.0.3

VendorProductVersionCPE
vendurecore*cpe:2.3:a:vendure:core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vendure	core	*	cpe:2.3:a:vendure:core::::::::

References

github.com/advisories/GHSA-h9wq-xcqx-mqxm

github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81

github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm

JSON