N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-h9wq-xcqx-mqxm

GHSA-h9wq-xcqx-mqxm: Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings).

Patches

In progress

Workarounds

Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true.

References

Are there any links users can visit to find out more?

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-h9wq-xcqx-mqxm

GHSA-h9wq-xcqx-mqxm:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@vendure/core	npm	< 2.0.3	2.0.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure default cookie configuration settings (specifically missing 'sameSite' attribute) in the default-config.ts file, rather than specific functions. The fix involved modifying the configuration object's cookieOptions property to set sameSite: 'lax'. While the cookie-session middleware's default behavior is implicated, there are no actual functions in Vendure's codebase that directly implement this behavior - the vulnerability arises from configuration values passed to a dependency rather than vulnerable function implementations within Vendure itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-h9wq-xcqx-mqxm: Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Patches

Workarounds

References

GHSA-h9wq-xcqx-mqxm:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

GHSA-h9wq-xcqx-mqxm: Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI