GHSA-h9wq-xcqx-mqxm – @vendure/core

Package

Manager: npm
Name: @vendure/core
Vulnerable Version: >=0 <2.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Vendure Cross Site Request Forgery vulnerability impacting all API requests ### Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings). ### Patches In progress ### Workarounds Manually set the `authOptions.cookieOptions.sameSite` configuration option to `'strict'`, `'lax'` or `true`. ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2023-07-11T22:46:19Z
Modified: 2023-07-11T22:46:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h9wq-xcqx-mqxm/GHSA-h9wq-xcqx-mqxm.json
CWE IDs: []
Alternative ID: N/A
Finding: F007
Auto approve: 1