Lucene search
K

69 matches found

Snyk
Snyk
added 2021/12/21 9:30 a.m.1 views

Cross-site Request Forgery (CSRF)

Overview solidusfrontend is a cart and storefront for the Solidus e-commerce project. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. Using a user's cookie, an attacker is able to add an item to the user's cart without authorization. Remediation Upgrade...

5.3CVSS7AI score0.00575EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2021/12/20 10:15 p.m.5 views

CVE-2021-43846

solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...

5.3CVSS5.5AI score0.00575EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2021/12/20 10:15 p.m.19 views

CVE-2021-43846

solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...

5.3CVSS0.00575EPSS
Exploits1References3
Prion
Prion
added 2021/12/20 10:15 p.m.18 views

Cross site request forgery (csrf)

solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...

4.3CVSS4.7AI score0.00575EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2021/12/20 12:0 a.m.3 views

Solidus 跨站请求伪造漏洞

Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus that stems from a lack of validation in the Add to cart operation. The vulnerability allows a malicious site to add items to a user's shopping cart without the user's knowledge...

5.3CVSS5AI score0.00575EPSS
Exploits1References4
NVD
NVD
added 2021/12/07 6:15 p.m.13 views

CVE-2021-43805

Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...

7.5CVSS0.01403EPSS
Exploits1References2
OSV
OSV
added 2021/12/07 6:15 p.m.17 views

CVE-2021-43805

Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...

7.5CVSS7AI score
Exploits0References2
Cvelist
Cvelist
added 2021/12/07 5:25 p.m.14 views

CVE-2021-43805 ReDos vulnerability on guest checkout email validation

Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...

7.5CVSS7.8AI score0.01403EPSS
Exploits1References2
CVE
CVE
added 2021/12/07 5:25 p.m.69 views

CVE-2021-43805

CVE-2021-43805 (Solidus) is a denial-of-service vulnerability affecting Solidus versions prior to 3.1.4, 3.0.4, and 2.11.13, caused by an exponential backtracking vulnerability in the regular expression used to validate a guest order email during checkout (pattern fragment like a.a.). The issue c...

7.5CVSS7.6AI score0.01403EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2021/12/07 12:0 a.m.3 views

Solidus 安全漏洞

Solidus is an open source e-commerce system. Solidus suffers from a security vulnerability that stems from the fact that the software's regular expressions in emails used to validate guest orders can be exponentially backtracked through fragments such as a.a.a, which can be exploited by an attack...

7.5CVSS7.3AI score0.01403EPSS
Exploits1References3
CNVD
CNVD
added 2021/11/22 12:0 a.m.17 views

Solidus Cross-Site Request Forgery Vulnerability

Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus Solidusauthdevise, which stems from a lack of CSRF authentication in the product. An attacker could send an unintended request to the server through this vulnerability...

9.3CVSS2.9AI score0.00609EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2021/11/18 8:15 p.m.29 views

Duplicate Advisory: Authentication Bypass by CSRF Weakness

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-26xx-m4q2-xhq8. This link is maintained to preserve external references. Original Description Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend...

9.3CVSS6.8AI score0.0052EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2021/11/18 12:3 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview solidusauthdevise is a Provides authentication and authorization services for use with Solidus by using Devise and CanCan. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via solidusauthdevise. Note: Users are affected only if protectfromforgery method...

9.3CVSS7.2AI score0.00609EPSS
Exploits1References2
RubySec
RubySec
added 2021/11/18 12:0 a.m.18 views

Authentication Bypass by CSRF Weakness

Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of solidusauthdevise are affected if protectfromforgery method is both: - Executed whether as: - A beforeaction callback the default - A prependbeforeaction option prepend: tr...

9.3CVSS6.7AI score0.00609EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2021/11/17 12:0 a.m.5 views

Solidus 跨站请求伪造漏洞

Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus Solidusauthdevise, which stems from a lack of CSRF authentication in the product. An attacker could send an unintended request to the server through this vulnerability...

9.3CVSS5.5AI score0.00609EPSS
Exploits1References3
Snyk
Snyk
added 2020/08/05 9:25 a.m.1 views

Improper Input Validation

Overview solidusfrontend is a cart and storefront for the Solidus e-commerce project. Affected versions of this package are vulnerable to Improper Input Validation. It allows a malicious customer to craft request data with parameters that allow changing the address of the current order without...

7.5CVSS6.9AI score0.00896EPSS
Exploits1References2
Snyk
Snyk
added 2020/08/05 9:25 a.m.1 views

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation. It allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with a...

7.5CVSS6.9AI score0.00896EPSS
Exploits1References2
Veracode
Veracode
added 2020/08/05 3:9 a.m.16 views

Improper Validation

solidus does not perform proper validation. The vulnerability exists as it was possible to change the address of the current order without changing the shipment cost through a crafted request data with parameters...

5.3CVSS2.6AI score0.00896EPSS
Exploits1References6Affected Software2
CNVD
CNVD
added 2020/08/05 12:0 a.m.1 views

Solidus Input Validation Error Vulnerability

Solidus is an open source e-commerce system. An input validation error vulnerability exists in Solidus versions prior to 2.8.6, prior to 2.9.6, and prior to 2.10.2. The vulnerability stems from a network system or product that does not properly validate incoming data. No detailed vulnerability...

5.3CVSS6.8AI score0.00896EPSS
Exploits1References1
NVD
NVD
added 2020/08/04 11:15 p.m.8 views

CVE-2020-15109

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the...

5.3CVSS5.1AI score0.00896EPSS
Exploits1References2
Rows per page
Query Builder