Please upgrade to spree_gateway 3.3.0 which supports Spree 3.1, 3.2 & 3.3
Add this to your Gemfile:
gem 'spree_gateway', '~> 3.3.0'
This vulnerability affects all stores including spree_gateway.
Due to a lack of authentication in the Skrill integration a malicious user could craft requests to manipulate payments. Update now, even if you’re not using the Skrill integration.
If for some reason you are unable to upgrade, the offending code can be removed
from an initializer.
# config/initializers/security-2017-07-25.rb
Rails.application.config.to_prepare do
Spree::SkrillStatusController.send(:remove_method, :update) rescue nil
Spree::CheckoutController.send(:remove_method, :skrill_return) rescue nil
end
Issue reported by John Hawthorn. Thank you!