Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.

References

Are there any links users can visit to find out more?

Published: Jul 11, 2023
Updated: Jul 12, 2023
GHSA: GHSA-h9wq-xcqx-mqxm
Severity: Low
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@vendure / core	-	2.0.3

https://github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81
https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm

Vulnerability Database

Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Patches

Workarounds

References