ADVISORIES
- OSVDB-119205
- Vendor Advisory
GEM
PATCHED VERSIONS
- ~> 2.2.10
- ~> 2.3.8
- ~> 2.4.5
- >= 3.0.0.rc4
DESCRIPTION
Spree contains a flaw in the API as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to disclose potentially sensitive information to attackers.