Homepage
About Snyk

@vendure/core@1.7.3 vulnerabilities

A modern, headless ecommerce framework

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @vendure/core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Input Validation

@vendure/core is an A modern, headless ecommerce framework

Affected versions of this package are vulnerable to Improper Input Validation through the currencyCode handling process. An attacker can manipulate payment currency by injecting arbitrary currencyCode as a query parameter to an API call.

How to fix Improper Input Validation?

Upgrade @vendure/core to version 2.1.3 or higher.

<2.1.3
  • M
Cross-site Request Forgery (CSRF)

@vendure/core is an A modern, headless ecommerce framework

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) such that by default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @vendure/core to version 2.0.3 or higher.

<2.0.3
Go back to all versions of this package