{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T10:09:51.634","vulnerabilities":[{"cve":{"id":"CVE-2024-31205","sourceIdentifier":"security-advisories@github.com","published":"2024-04-08T15:15:08.023","lastModified":"2026-01-07T20:05:30.017","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`.\n"},{"lang":"es","value":"Saleor es una plataforma de comercio electrónico. A partir de la versión 3.10.0 y anteriores a las versiones 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31 y 3.19.19, un atacante puede omitir la validación de cross-set request forgery (CSRF) al llamar. actualizar la mutación del token con una cadena vacía. Cuando un usuario proporciona una cadena vacía en la mutación `refreshToken`, mientras el token persiste en la cookie `JWT_REFRESH_TOKEN_COOKIE_NAME`, la aplicación omite la validación contra el token CSRF y devuelve un token de acceso válido. Las versiones 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31 y 3.19.19 contienen un parche para el problema. Como workaround, se puede reemplazar `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. Esto solucionará el problema, pero tenga en cuenta que devuelve `JWT_MISSING_TOKEN` en lugar de `JWT_INVALID_TOKEN`."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":4.2,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.0","versionEndExcluding":"3.14.64","matchCriteriaId":"6AA9F9AF-E3A8-4D19-AC63-AB1F2115906F"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15.0","versionEndExcluding":"3.15.39","matchCriteriaId":"A592CB29-C622-4DCF-AD16-E6B103899F8A"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.0","versionEndExcluding":"3.16.39","matchCriteriaId":"485BC5CE-2874-42E2-BFD9-5529046ED09B"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17.0","versionEndExcluding":"3.17.35","matchCriteriaId":"7D126A50-1C0D-4389-9316-9EC6BFAFFA95"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.0","versionEndExcluding":"3.18.31","matchCriteriaId":"895CE01A-B60F-473F-9208-A36CAD6FA818"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19.0","versionEndExcluding":"3.19.19","matchCriteriaId":"C995842D-3835-4EAE-9C86-E0EF95A4716E"}]}]}],"references":[{"url":"https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w","source":"security-advisories@github.com","tags":["Mitigation","Patch","Vendor Advisory"]},{"url":"https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Patch","Vendor Advisory"]}]}}]}