Vulnerability	Vulnerable Version
M Improper Input Validation @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to Improper Input Validation through the `currencyCode` handling process. An attacker can manipulate payment currency by injecting arbitrary `currencyCode` as a query parameter to an API call. How to fix Improper Input Validation? Upgrade `@vendure/core` to version 2.1.3 or higher.	<2.1.3
M Cross-site Request Forgery (CSRF) @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) such that by default the `Cookie` settings are insecure, having the `SameSite` setting as `false` which results in not having one (originates from the `cookie-session` npm package’s default settings). How to fix Cross-site Request Forgery (CSRF)? Upgrade `@vendure/core` to version 2.0.3 or higher.	<2.0.3
M Cross-site Scripting (XSS) @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to Cross-site Scripting (XSS) as a result of an uploaded SVG file to the “Assets” tab by an attacker that has catalog permissions, which contains malicious code. How to fix Cross-site Scripting (XSS)? Upgrade `@vendure/core` to version 1.5.2 or higher.	<1.5.2

Go back to all versions of this package