CVE-2023-22732 — Insufficient Session Expiration in Platform

CWE-613 — Insufficient Session Expiration3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Platform Shopware Shopware Core

Timeline

PublishedJan 17

Latest updateJan 20

Description

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5shopware/platform< 6.4.18.1

▶Packagistshopware/platform< 6.4.18.1

▶Packagistshopware/core< 6.4.18.1

▶NVDshopware/shopware< 6.4.18.1

Patches

Patch: docs.shopware.com ↗Patch: github.com ↗Patch: docs.shopware.com ↗

🔴Vulnerability Details

OSV

Shopware has Insufficient Session Expiration in Administration↗2023-01-20

▶

GHSA

Shopware has Insufficient Session Expiration in Administration↗2023-01-20

▶