69 matches found
Cross-site Request Forgery (CSRF)
Overview solidusfrontend is a cart and storefront for the Solidus e-commerce project. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. Using a user's cookie, an attacker is able to add an item to the user's cart without authorization. Remediation Upgrade...
CVE-2021-43846
solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...
CVE-2021-43846
solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...
Cross site request forgery (csrf)
solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...
Solidus 跨站请求伪造漏洞
Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus that stems from a lack of validation in the Add to cart operation. The vulnerability allows a malicious site to add items to a user's shopping cart without the user's knowledge...
CVE-2021-43805
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...
CVE-2021-43805
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...
CVE-2021-43805 ReDos vulnerability on guest checkout email validation
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...
CVE-2021-43805
CVE-2021-43805 (Solidus) is a denial-of-service vulnerability affecting Solidus versions prior to 3.1.4, 3.0.4, and 2.11.13, caused by an exponential backtracking vulnerability in the regular expression used to validate a guest order email during checkout (pattern fragment like a.a.). The issue c...
Solidus 安全漏洞
Solidus is an open source e-commerce system. Solidus suffers from a security vulnerability that stems from the fact that the software's regular expressions in emails used to validate guest orders can be exponentially backtracked through fragments such as a.a.a, which can be exploited by an attack...
Solidus Cross-Site Request Forgery Vulnerability
Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus Solidusauthdevise, which stems from a lack of CSRF authentication in the product. An attacker could send an unintended request to the server through this vulnerability...
Duplicate Advisory: Authentication Bypass by CSRF Weakness
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-26xx-m4q2-xhq8. This link is maintained to preserve external references. Original Description Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend...
Cross-site Request Forgery (CSRF)
Overview solidusauthdevise is a Provides authentication and authorization services for use with Solidus by using Devise and CanCan. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via solidusauthdevise. Note: Users are affected only if protectfromforgery method...
Authentication Bypass by CSRF Weakness
Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of solidusauthdevise are affected if protectfromforgery method is both: - Executed whether as: - A beforeaction callback the default - A prependbeforeaction option prepend: tr...
Solidus 跨站请求伪造漏洞
Solidus is an open source e-commerce system. A cross-site request forgery vulnerability exists in Solidus Solidusauthdevise, which stems from a lack of CSRF authentication in the product. An attacker could send an unintended request to the server through this vulnerability...
Improper Input Validation
Overview solidusfrontend is a cart and storefront for the Solidus e-commerce project. Affected versions of this package are vulnerable to Improper Input Validation. It allows a malicious customer to craft request data with parameters that allow changing the address of the current order without...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation. It allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with a...
Improper Validation
solidus does not perform proper validation. The vulnerability exists as it was possible to change the address of the current order without changing the shipment cost through a crafted request data with parameters...
Solidus Input Validation Error Vulnerability
Solidus is an open source e-commerce system. An input validation error vulnerability exists in Solidus versions prior to 2.8.6, prior to 2.9.6, and prior to 2.10.2. The vulnerability stems from a network system or product that does not properly validate incoming data. No detailed vulnerability...
CVE-2020-15109
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the...