Waiting-For-Dev

**Name of the Vulnerable Software and Affected Versions** spree auth devise versions prior to 4.0.1 spree auth devise versions prior to 4.1.1 spree auth devise versions prior to 4.2.1 spree auth devise versions prior to 4.4.1 **Description** The issue is a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree auth devise` are affected if the `protect from forgery` method is both executed as a before action callback or a prepend before action before the `:load object` hook in `Spree::UserController`, and configured to use `:null session` or `:reset session` strategies. Applications that haven't been configured differently from what's generated with Rails aren't affected. **Recommendations** For Spree 4.3 users, update to spree auth devise 4.4.1. For Spree 4.2 users, update to spree auth devise 4.2.1. For Spree 4.1 users, update to spree auth devise 4.1.1. For older Spree version users, update to spree auth devise 4.0.1. As a temporary workaround, consider changing the strategy to `:exception` by adding the following code to `config/application.rb`: ```ruby config.after initialize do Spree::UsersController.protect from forgery with: :exception end ``` Alternatively, change the strategy to `:exception` in the `ApplicationController`: ```ruby class ApplicationController < ActionController::Base protect from forgery with: :exception end ```