Cross-site Request Forgery (CSRF) Affecting shoppe package, versions <1.1.1
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-SHOPPE-20441
- published 10 Jan 2018
- disclosed 20 Jul 2015
- credit Dean Perry
How to fix?
Upgrade shoppe
to version 1.1.1 or higher.
Overview
shoppe
is a full Rails engine providing e-commerce functionality for any Rails 4 application.
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). The anti-CSRF protection protect_from_forgery
is off by default in Rails ActionController::Base
.