5.5

CVE-2022-24742

Exposure of Sensitive Information Due to Incompatible Policies in Sylius

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SyliusSylius Version < 1.9.10
SyliusSylius Version >= 1.10.0 < 1.10.11
SyliusSylius Version >= 1.11.0 < 1.11.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.514
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
security-advisories@github.com 5 1.3 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/Sylius/Sylius/releases/tag/v1.10.11
Third Party Advisory
Release Notes
https://github.com/Sylius/Sylius/releases/tag/v1.11.2
Third Party Advisory
Release Notes
https://github.com/Sylius/Sylius/releases/tag/v1.9.10
Third Party Advisory
Release Notes
https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p
Third Party Advisory
Mitigation