Lucene search

GitHub_MCVELIST:CVE-2023-22732

HistoryJan 17, 2023 - 9:34 p.m.

CVE-2023-22732 Insufficient Session Expiration in Administration in shopware

2023-01-1721:34:26

CWE-613

GitHub_M

www.cve.org

cve-2023-22732

insufficient session expiration

shopware

symfony framework

vue js

automatic logout

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.8%

JSON

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "shopware",
    "product": "platform",
    "versions": [
      {
        "version": "< 6.4.18.1",
        "status": "affected"
      }
    ]
  }
]

References

docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6

github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.8%

JSON

Related for CVELIST:CVE-2023-22732