Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the DefaultConfig function, which sets TlsInsecureSkipVerify to true, disabling TLS certificate verification for all outgoing storage driver communications. An attacker can intercept and manipulate...

Missing Validation of OpenSSL Certificate

Overview Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate due to the default configuration of DefaultConfig where TLS certificate verification is disabled for outgoing storage driver communications. An attacker can intercept, decrypt, and manipulate al...

Withdrawn Advisory: github.com/hashicorp/yamux's DefaultConfig has dangerous defaults causing hung Read

Withdrawn Advisory This advisory has been withdrawn because further research determined that github.com/hashicorp/yamux was not vulnerable to denial of service in the manner described. This link is maintained to preserve external references. Original Description The default values for...

Cross-Site Request Forgery (CSRF)

@vendure/core is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the defaultConfig because the cookie-session middleware is set to false which in most browsers is interpreted as the secure lax option, but in old browsers gets interpreted as the least secure option, whic...