GitHub_MCVELIST:CVE-2022-21652CVE-2022-21652 Insufficient Session Expiration in shopware
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
8.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.3%
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can’t be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.
CNA Affected
[
{
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"status": "affected",
"version": ">=5.7.3, < 5.7.7"
}
]
}
]Related
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
8.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.3%