CVE-2021-41274

Name of the Vulnerable Software and Affected Versions solidus auth devise versions prior to 2.5.4

Description The issue is a CSRF vulnerability that allows user account takeover. It affects applications using any version of the frontend component of solidus auth devise if the protect from forgery method is executed as a before action callback or a prepend before action before the :load object hook in Spree::UserController, and is configured to use :null session or :reset session strategies.

Recommendations To resolve the issue, update to solidus auth devise version 2.5.4. If updating is not possible, change the strategy to :exception by adding protect from forgery with: :exception to the ApplicationController. Alternatively, add config.after initialize do Spree::UsersController.protect from forgery with: :exception end to config/application.rb to run the :exception strategy on the affected controller.