Json Hijacking

Affecting spree_frontend gem, versions <3.0.7, >=3.0.0.rc1

medium severity

Overview

spree_frontend is Frontend e-commerce functionality for the Spree project.

Affected versions of the package are vulnerable to Json Hijacking, due to returning a top level array, making the JSON interpreted as valid javascript.

Remediation

Upgrade spree_frontend to version 3.0.7 or higher.

References

Do your applications use this vulnerable package?

Credit
John Hawthorn
CWE
CWE-642
Snyk ID
SNYK-RUBY-SPREEFRONTEND-20477
Disclosed
22 Feb, 2016
Published
10 Jan, 2018