GoogleOSV:GHSA-59QG-93JG-236FShopware has Insufficient Session Expiration in Administration
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%
Impact
The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.
Patches
We added an automatic logout into the Administration, so the user will be logged out when they are inactive.
References
References
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/shopware/platform
github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6
github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f
nvd.nist.gov/vuln/detail/CVE-2023-22732
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%