AIKIDO-2024-10532
shopify_app is vulnerable to Cross-site Scripting (XSS)
23
Low Risk
This Affects:
shopify_appTL;DR
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling of Content-Security-Policy (CSP) headers. Applications that dynamically generate CSP headers using untrusted user input are at risk, as attackers can craft inputs that inject malicious directives into the CSP. This vulnerability can effectively bypass the CSP, undermining its protections against XSS and other web-based attacks, potentially compromising the security of the application and its users. While a fix for this issue was introduced in Rails core, the affected package implemented its own mitigation measures to address the risk.
Who does this affect?
You are affected if you are using a vulnerable version of the package.
Background info
shopify_app is vulnerable to Cross-site Scripting (XSS) in versions 21.4.1 - 22.5.0.
How to fix this
Upgrade the shopify_app library to the patch version.
Links
GitHub Release
Fix Commits
github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3agithub.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant