Lucene search

MendCVELIST:CVE-2022-23063

HistoryMay 03, 2022 - 8:55 a.m.

CVE-2022-23063 Shopizer - Insufficient Session Expiration

2022-05-0308:55:09

CWE-613

Mend

www.cve.org

cve-2022-23063

shopizer

insufficient session expiration

vulnerability

password change

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

41.1%

JSON

In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

CNA Affected

[
  {
    "product": "Shopizer",
    "vendor": "shopizer-ecommerce",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2.3.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.0.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

41.1%

JSON

Related for CVELIST:CVE-2022-23063