CVE-2021-43846

Name of the Vulnerable Software and Affected Versions: solidus frontend versions prior to 3.1.5 solidus frontend versions prior to 3.0.5 solidus frontend versions prior to 2.11.14

Description: The issue is a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. This is achieved by exploiting the "Add to cart" action, which previously lacked CSRF token verification. The vulnerability can be exploited by sending a POST request to the /orders/populate endpoint with the variant id and quantity parameters. For example, an attacker could send a request to http://localhost:3000/orders/populate with the parameters variant id=2 and quantity=1. To mitigate this, the patch adds CSRF token verification to the "Add to cart" action.

Recommendations: For versions prior to 3.1.5, upgrade to version 3.1.5 or later. For versions prior to 3.0.5, upgrade to version 3.0.5 or later. For versions prior to 2.11.14, upgrade to version 2.11.14 or later. As a temporary workaround, consider adding the following code to config/application.rb:

config.after initialize do
 Spree::OrdersController.protect from forgery with: ApplicationController.forgery protection strategy.name.demodulize.underscore.to sym, only: [:populate]
end