https://vulnerability.circl.lu/sightings/feed 2026-05-08T16:29:50.035698+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/9c4e1a8e-115d-4fde-9d65-de7052f1543f/export 2026-05-08T16:29:50.403427+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "9c4e1a8e-115d-4fde-9d65-de7052f1543f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41274", "type": "seen", "source": "https://t.me/cibsecurity/32543", "content": "\u203c CVE-2021-41274 \u203c\n\nsolidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-17T22:14:48.000000Z"} 2021-11-17T22:14:48+00:00