7.5
CVE-2022-24892
- EPSS 0.81%
- Veröffentlicht 28.04.2022 15:15:10
- Zuletzt bearbeitet 21.11.2024 06:51:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginMultiple valid tokens for password reset in Shopware
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.81% | 0.521 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 6.4 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
|
CWE-640 Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
https://www.shopware.com/en/changelog-sw5/#5-7-9
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4