Home > Vulnerability Database > WS-2023-0233

Mend.io Vulnerability Database

WS-2023-0233

Good to know:

Date: July 11, 2023

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie session npm package’s default settings). This affects all versions prior to 2.0.3.

Language: TYPE_SCRIPT

Severity Score

5.3

Related Resources (2)

Url: https://github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81

Url: https://www.mend.io/vulnerability-database/WS-2023-0233

Severity Score

5.3

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

Upgrade Version

Upgrade to version @vendure/core - 2.0.3

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0233

Good to know:

Date: July 11, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?