Описание
Shopware 6's password recovery link does not expire after email change
Summary
When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.
PoC
- Log in to a Shopware account.
- Request a password reset for your current email address.
- Copy the password reset link but do not open it.
- Log back into your account.n
- Navigate to Account Settings → Email and change your email address.
- Use the previously copied reset link (from before the email change).
- The system allows password change using the old link.
Impact
Reproduced on Stable 6.6.10.7 and trunk.
Ссылки
- https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh
- https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13
- https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52
- https://github.com/shopware/shopware/releases/tag/v6.6.10.9
- https://github.com/shopware/shopware/releases/tag/v6.7.0.0
- https://github.com/shopware/shopware/releases/tag/v6.7.4.1
Пакеты
Наименование
shopware/core
composer
Затронутые версииВерсия исправления
< 6.6.10.9
6.6.10.9
Наименование
shopware/core
composer
Затронутые версииВерсия исправления
>= 6.7.0.0, < 6.7.4.1
6.7.4.1
5 Medium
CVSS3
Дефекты
CWE-640
5 Medium
CVSS3
Дефекты
CWE-640