VYPR

RubyGems package

spree_auth_devise

pkg:gem/spree_auth_devise

Vulnerabilities (2)

  • CVE-2021-41275Nov 17, 2021
    affected >= 4.3.0, < 4.4.1fixed 4.4.1

    spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that

  • CVE-2013-2506Mar 8, 2013
    affected >= 1.0.0, < 3.0.5fixed 3.0.5

    app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.