Cross-site Scripting (XSS)

Affecting spree_backend gem, versions <1.0.5, >=1.0.0.pre || >=1.1.0.beta1,<1.1.3 || >=1.2.0.beta1,<1.2.1

medium severity

Overview

spree_backend is Required dependency for Spree.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS). An attacker can potentially inject html into the admin by registering with a specially crafted email. This could lead to injecting javascript into the admin and stealing the admin's API key and other credentials.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

There is no fix version for spree_backend.

References

Do your applications use this vulnerable package?

Credit
John Hawthorn
CWE
CWE-79
Snyk ID
SNYK-RUBY-SPREEBACKEND-20476
Disclosed
16 Feb, 2016
Published
10 Jan, 2018