Advisories for Gem/Solidus_core package

2022

Cross-Site Request Forgery (CSRF)

solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.

2021

Cross-Site Request Forgery (CSRF)

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

Inefficient Regular Expression Complexity

Solidus is a free, open-source ecommerce platform built on Rails.If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file config/application.rb manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.

Authentication Bypass by CSRF Weakness

Impact The actual vulnerability has been discovered on solidus_auth_devise. See GHSA-xm34-v85h-9pg2 for details. The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update solidus_auth_devise. For this reason, it has been marked as low impact on this end. Patches For extra security, update solidus_core to versions 3.1.3, 3.0.3 or 2.11.12. Workarounds Look at the workarounds described at …

2020

Improper Input Validation

This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …