ADVISORIES

• OSVDB-119205
• Vendor Advisory

GEM

spree

PATCHED VERSIONS

• ~> 2.2.10
• ~> 2.3.8
• ~> 2.4.5
• >= 3.0.0.rc4

DESCRIPTION

Spree contains a flaw in the API as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to disclose potentially sensitive information to attackers.

RELATED

• https://web.archive.org/web/20150920092934/https://spreecommerce.com/blog/security-updates-2015-3-3
• https://seclists.org/oss-sec/2015/q3/275
• https://github.com/spree/spree/commit/bfb5f907219d6f8f879ca940882befe89b58a1a4
• https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20360
• https://github.com/rubysec/bundler-audit/issues/106