CVE-2022-24745

EPSS 0.19%
Veröffentlicht 09.03.2022 23:15:08
Zuletzt bearbeitet 21.11.2024 06:51:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shopware ≫ Shopware Version < 6.4.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.375

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://github.com/shopware/platform/security/advisories/GHSA-jp6h-mxhx-pgqh

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24745

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24745

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24745

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-24745