Improper Input Validation Affecting @vendure/core package, versions <2.1.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-VENDURECORE-6069801
- published 19 Nov 2023
- disclosed 17 Nov 2023
- credit seminarian
How to fix?
Upgrade @vendure/core
to version 2.1.3 or higher.
Overview
@vendure/core is an A modern, headless ecommerce framework
Affected versions of this package are vulnerable to Improper Input Validation through the currencyCode
handling process. An attacker can manipulate payment currency by injecting arbitrary currencyCode
as a query parameter to an API call.
References
CVSS Scores
version 3.1