Cross-site Scripting (XSS)

Affecting solidus_backend gem, versions >=1.0.0.pre,1.0.5 || >=1.1.0.beta1,<1.1.3 || >=1.2.0.beta1,<1.2.1

medium severity

Overview

solidus_backend is an Admin interface for the Solidus e-commerce framework.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS). An attacker can potentially inject html into the admin by registering with a specially crafted email. This could lead to injecting javascript into the admin and stealing the admin's API key and other credentials.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade solidus_backend to version 1.2.1 or higher.

References

Do your applications use this vulnerable package?

Credit
John Hawthorn
CWE
CWE-79
Snyk ID
SNYK-RUBY-SOLIDUSBACKEND-20473
Disclosed
16 Feb, 2016
Published
10 Jan, 2018