← Zuruck zu CVEs
CVE-2022-24892
MEDIUM6.4
Beschreibung
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
CVE Details
CVSS v3.1 Bewertung6.4
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienLOW
BenutzerinteraktionREQUIRED
Veroffentlicht4/28/2022
Zuletzt geandert11/21/2024
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
shopware:shopware
Schwachen (CWE)
CWE-640CWE-640
Referenzen
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022(security-advisories@github.com)
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4(security-advisories@github.com)
https://www.shopware.com/en/changelog-sw5/#5-7-9(security-advisories@github.com)
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4(af854a3a-2127-422b-91ae-364da2661108)
https://www.shopware.com/en/changelog-sw5/#5-7-9(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.