CVE-2022-24892

Published: Apr 28, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

Affected (1)

Products: Shopware: Shopware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopware Shopware	From 5.0.4 to 5.7.9

Related CWEs

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References (6)

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

Source: security-advisories@github.com

Vendor Advisory

https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4

Source: security-advisories@github.com

PatchThird Party Advisory

https://www.shopware.com/en/changelog-sw5/#5-7-9

Source: security-advisories@github.com

Release NotesVendor Advisory

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.shopware.com/en/changelog-sw5/#5-7-9

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.