CVE-2021-43846

Public Exploit
CSRF forgery protection bypass for Spree::OrdersController#populate

Description

`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.12%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: solidusio solidus
Published at:
Updated at:

References

Link Tags
https://github.com/solidusio/solidus/security/advisories/GHSA-h3fg-h5v3-vf8m exploit third party advisory mitigation
https://github.com/solidusio/solidus/commit/4d17cacf066d9492fc04eb3a0b16084b47376d81 third party advisory patch
https://github.com/solidusio/solidus/commit/a1b9bf7f24f9b8684fc4d943eacb02b1926c77c6 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-43846?
CVE-2021-43846 has been scored as a medium severity vulnerability.
How to fix CVE-2021-43846?
To fix CVE-2021-43846, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-43846 being actively exploited in the wild?
It is possible that CVE-2021-43846 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-43846?
CVE-2021-43846 affects solidusio solidus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.