Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h9wq-xcqx-mqxm: Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.

References

Are there any links users can visit to find out more?

ghsa
Open in Source
#vulnerability#nodejs#auth

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of
authorization. By default the Cookie settings are insecure, having the SameSite setting as false
which results in not having one (originates from the cookie-session npm package’s default
settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict’, ‘lax’ or true.

References

Are there any links users can visit to find out more?

References

  • GHSA-h9wq-xcqx-mqxm
  • vendure-ecommerce/vendure@4a10d67

ghsa: Latest News

GHSA-gmx7-gr5q-85w5: magic-crypt uses insecure cryptographic algorithms
ghsa