Security alert for `spree_gateway` users

[Mike Faber]

Please upgrade to spree_gateway 3.3.0 which supports Spree 3.1, 3.2 & 3.3

Add this to your Gemfile:

gem 'spree_gateway', '~> 3.3.0'

This vulnerability affects all stores including spree_gateway.

Due to a lack of authentication in the Skrill integration a malicious user could craft requests to manipulate payments. Update now, even if you’re not using the Skrill integration.

In case of any urgent questions please use #support slack channel: http://slack.spreecommerce.com/

If for some reason you are unable to upgrade, the offending code can be removed 

from an initializer. 

   # config/initializers/security-2017-07-25.rb

    Rails.application.config.to_prepare do

      Spree::SkrillStatusController.send(:remove_method, :update) rescue nil

      Spree::CheckoutController.send(:remove_method, :skrill_return) rescue nil

    end

Issue reported by John Hawthorn. Thank you!