Json Hijacking

Affecting spree_backend gem, versions <3.0.7 ,>=2.2.0

medium severity

Overview

spree_backend is Required dependency for Spree.

Affected versions of the package are vulnerable to Json Hijacking, due to returning a top level array, making the JSON interpreted as valid javascript.

Remediation

Upgrade spree_backend to version 3.0.7 or higher.

References

Do your applications use this vulnerable package?

Credit
John Hawthorn
CWE
CWE-642
Snyk ID
SNYK-RUBY-SPREEBACKEND-20475
Disclosed
22 Mar, 2016
Published
10 Jan, 2018