Cross-site Request Forgery (CSRF) Affecting spree_auth_devise package, versions >=4.3.0, <4.4.1 >=4.2.0, <4.2.1 >=4.1.0, <4.1.1 <4.0.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
19 Nov 2021
18 Nov 2021
How to fix?
spree_auth_devise to version 4.4.1, 4.2.1, 4.1.1, 4.0.1 or higher.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows user account takeover.
Note: All applications using any version of the frontend component of
spree_auth_devise are affected if
protect_from_forgery method is both:
- Executed whether as:
before_actioncallback (the default)
prepend_before_action(option prepend: true given) before the
Spree::UserController(most likely order to find).
- Configured to use
:null_sessionis the default in case the no strategy is given, but rails
--newgenerated skeleton use
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.