CVE-2022-24745Session Fixation in Platform

CWE-384Session Fixation3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 59.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Shopware PlatformShopwareShopware Storefront
Timeline
PublishedMar 9
Latest updateMar 10

Description

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

CVEListV5shopware/platform< 6.4.8.2
Packagistshopware/platform< 6.4.8.2
NVDshopware/shopware< 6.4.8.2
Packagistshopware/storefront< 6.4.8.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Shopware guest session is shared between customers2022-03-10
OSV
Shopware guest session is shared between customers2022-03-10