CVE-2022-24744 — Insufficient Session Expiration in Platform

CWE-613 — Insufficient Session Expiration3 documents3 sources

Severity

3.5LOWNVD

EPSS

0.2%

top 63.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Platform Shopware Shopware Core

Timeline

PublishedMar 9

Latest updateMar 10

Description

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5shopware/platform< 6.4.8.1

▶Packagistshopware/platform< 6.4.8.1

▶Packagistshopware/core< 6.4.8.1

▶NVDshopware/shopware< 6.4.8.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Shopware user session is not logged out if the password is reset via password recovery↗2022-03-10

▶

OSV

Shopware user session is not logged out if the password is reset via password recovery↗2022-03-10

▶