Cross-site Request Forgery (CSRF)

Affecting shoppe gem, versions <1.1.1

medium severity

Overview

shoppe is a full Rails engine providing e-commerce functionality for any Rails 4 application.

Affected versions of the package are vulnerable to Cross-Site Request Forgery (CSRF). The anti-CSRF protection protect_from_forgery is off by default in Rails ActionController::Base.

Remediation

Upgrade shoppe to version 1.1.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Dean Perry
CWE
CWE-352
Snyk ID
SNYK-RUBY-SHOPPE-20441
Disclosed
20 Jul, 2015
Published
10 Jan, 2018