Security alert for `spree_gateway` users

14 views
Skip to first unread message

Mike Faber

unread,
Jul 26, 2017, 2:15:05 PM7/26/17
to Spree
Please upgrade to spree_gateway 3.3.0 which supports Spree 3.1, 3.2 & 3.3

Add this to your Gemfile:

gem 'spree_gateway', '~> 3.3.0'

This vulnerability affects all stores including spree_gateway.

Due to a lack of authentication in the Skrill integration a malicious user could craft requests to manipulate payments. Update now, even if you’re not using the Skrill integration.

In case of any urgent questions please use #support slack channel: http://slack.spreecommerce.com/

If for some reason you are unable to upgrade, the offending code can be removed 
from an initializer. 

   # config/initializers/security-2017-07-25.rb
    Rails.application.config.to_prepare do
      Spree::SkrillStatusController.send(:remove_method, :update) rescue nil
      Spree::CheckoutController.send(:remove_method, :skrill_return) rescue nil
    end

Issue reported by John Hawthorn. Thank you!
Reply all
Reply to author
Forward
0 new messages