Home > Vulnerability Database > WS-2023-0233

Mend.io Vulnerability Database

WS-2023-0233

Good to know:

Date: August 19, 2025

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie session npm package’s default settings). This affects all versions prior to 2.0.3.

Language: TYPE_SCRIPT

Severity Score

4.3

Related Resources (4)

Url: https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm

Url: https://github.com/vendure-ecommerce/vendure

Url: https://github.com/vendure-ecommerce/vendure/commit/4a10d6785a3bf792ddf84053cdf232c205b82c81

Url: https://www.mend.io/vulnerability-database/WS-2023-0233

Severity Score

4.3

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0233

Good to know:

Date: August 19, 2025

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?