CVE-2022-24744

Published: Mar 9, 2022Modified: Nov 21, 2024

3.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.1 / Impact: 1.4

Source: NVD

Description

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Affected (1)

Products: Shopware: Shopware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopware Shopware	Before 6.4.8.1

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.