Name of the Vulnerable Software and Affected Versions Vendure (affected versions not specified)

Description The issue concerns the default cookie settings in Vendure, an e-commerce GraphQL framework, which are insecure due to the SameSite setting being false by default. This setting originates from the cookie-session npm package’s default settings.

Recommendations For all affected versions, manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax', or true as a workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.