CVE-2025-22387

Published: Jan 4, 2025Modified: May 21, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking.

Affected (1)

Products: Optimizely: Configured Commerce

1 product

Configured Commerce

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Optimizely Configured Commerce	Before 5.2.2408

Related CWEs

Use of GET Request Method With Sensitive Query Strings

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

References (1)

https://support.optimizely.com/hc/en-us/articles/32695551034893-Configured-Commerce-Security-Advisory-COM-2024-06

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.