@vendure/core/.../core@0.18.4 vulnerabilities

A modern, headless ecommerce framework

  • latest version

    3.1.0

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    10 days ago

  • licenses detected

    • >=0.1.0-alpha.1 <3.0.0-next.0
  • Direct Vulnerabilities

    Known vulnerabilities in the @vendure/core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Improper Input Validation

    @vendure/core is an A modern, headless ecommerce framework

    Affected versions of this package are vulnerable to Improper Input Validation through the currencyCode handling process. An attacker can manipulate payment currency by injecting arbitrary currencyCode as a query parameter to an API call.

    How to fix Improper Input Validation?

    Upgrade @vendure/core to version 2.1.3 or higher.

    <2.1.3
    • M
    Cross-site Request Forgery (CSRF)

    @vendure/core is an A modern, headless ecommerce framework

    Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) such that by default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

    How to fix Cross-site Request Forgery (CSRF)?

    Upgrade @vendure/core to version 2.0.3 or higher.

    <2.0.3
    • M
    Cross-site Scripting (XSS)

    @vendure/core is an A modern, headless ecommerce framework

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) as a result of an uploaded SVG file to the “Assets” tab by an attacker that has catalog permissions, which contains malicious code.

    How to fix Cross-site Scripting (XSS)?

    Upgrade @vendure/core to version 1.5.2 or higher.

    <1.5.2