7.5

CVE-2022-24740

Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.

Data is provided by the National Vulnerability Database (NVD)
PloneVolto SwPlatformnode.js Version >= 14.1.0 <= 14.10.0
PloneVolto Version14.0.0 Update- SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha10 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha11 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha12 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha13 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha14 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha15 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha16 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha17 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha18 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha19 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha20 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha21 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha22 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha23 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha24 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha25 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha26 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha27 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha28 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha29 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha30 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha31 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha32 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha33 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha34 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha35 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha36 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha37 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha38 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha39 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha40 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha41 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha42 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha43 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha6 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha7 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha8 SwPlatformnode.js
PloneVolto Version14.0.0 Updatealpha9 SwPlatformnode.js
PloneVolto Version15.0.0 Updatealpha0 SwPlatformnode.js
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.26% 0.49
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6 6.8 6.4
AV:N/AC:M/Au:S/C:P/I:P/A:P
security-advisories@github.com 5 1.6 3.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/plone/volto/pull/3051
Patch
Third Party Advisory