VulnerableCode Package Details - pkg:gem/solidus

Search for packages

Vulnerability	Summary	Fixed by
VCID-1amr-xv82-93ac Aliases: CVE-2021-43805 GHSA-qxmr-qxh6-2cc9	Inefficient Regular Expression Complexity Solidus is a free, open-source ecommerce platform built on Rails.If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.	3.1.4 Affected by 0 other vulnerabilities.
VCID-6n5g-nh97-nbbf Aliases: CVE-2021-43846 GHSA-h3fg-h5v3-vf8m	Cross-Site Request Forgery (CSRF) `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.	3.1.5 Affected by 0 other vulnerabilities.
VCID-c2de-ucf9-eqcp Aliases: GHSA-5629-8855-gf4g GMS-2021-4	Authentication Bypass by CSRF Weakness ### Impact The actual vulnerability has been discovered on `solidus_auth_devise`. See [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2) for details. The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update `solidus_auth_devise`. For this reason, it has been marked as low impact on this end. ### Patches For extra security, update `solidus_core` to versions `3.1.3`, `3.0.3` or `2.11.12`. ### Workarounds Look at the workarounds described at [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### References - [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### For more information If you have any questions or comments about this advisory: * Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions) * Email us at [security@solidus.io](mailto:security@soliidus.io) * Contact the core team on [Slack](http://slack.solidus.io/)	3.1.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1amr-xv82-93ac
Aliases:
CVE-2021-43805
GHSA-qxmr-qxh6-2cc9

Inefficient Regular Expression Complexity Solidus is a free, open-source ecommerce platform built on Rails.If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.

3.1.4
Affected by 0 other vulnerabilities.

VCID-6n5g-nh97-nbbf
Aliases:
CVE-2021-43846
GHSA-h3fg-h5v3-vf8m

Cross-Site Request Forgery (CSRF) `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

3.1.5
Affected by 0 other vulnerabilities.

VCID-c2de-ucf9-eqcp
Aliases:
GHSA-5629-8855-gf4g
GMS-2021-4

Authentication Bypass by CSRF Weakness ### Impact The actual vulnerability has been discovered on `solidus_auth_devise`. See [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2) for details. The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update `solidus_auth_devise`. For this reason, it has been marked as low impact on this end. ### Patches For extra security, update `solidus_core` to versions `3.1.3`, `3.0.3` or `2.11.12`. ### Workarounds Look at the workarounds described at [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### References - [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### For more information If you have any questions or comments about this advisory: * Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions) * Email us at [security@solidus.io](mailto:security@soliidus.io) * Contact the core team on [Slack](http://slack.solidus.io/)

3.1.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:40:47.289088+00:00	GitLab Importer	Affected by	VCID-6n5g-nh97-nbbf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_core/CVE-2021-43846.yml	38.6.0
2026-06-02T04:40:39.228739+00:00	GitLab Importer	Affected by	VCID-1amr-xv82-93ac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_core/CVE-2021-43805.yml	38.6.0
2026-06-02T04:40:32.032752+00:00	GitLab Importer	Affected by	VCID-c2de-ucf9-eqcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/solidus_core/GMS-2021-4.yml	38.6.0