@vendure/core@1.1.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @vendure/core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Input Validation

@vendure/core is an A modern, headless ecommerce framework

Affected versions of this package are vulnerable to Improper Input Validation through the currencyCode handling process. An attacker can manipulate payment currency by injecting arbitrary currencyCode as a query parameter to an API call.

How to fix Improper Input Validation?

Upgrade @vendure/core to version 2.1.3 or higher.

<2.1.3
  • M
Cross-site Request Forgery (CSRF)

@vendure/core is an A modern, headless ecommerce framework

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) such that by default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @vendure/core to version 2.0.3 or higher.

<2.0.3
  • M
Cross-site Scripting (XSS)

@vendure/core is an A modern, headless ecommerce framework

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) as a result of an uploaded SVG file to the “Assets” tab by an attacker that has catalog permissions, which contains malicious code.

How to fix Cross-site Scripting (XSS)?

Upgrade @vendure/core to version 1.5.2 or higher.

<1.5.2