CVE-2022-24743

Опубликовано: 14 мар. 2022

Источник: nvd

CVSS3: 7.1

CVSS3: 8.2

CVSS2: 6.4

EPSS Низкий

Описание

Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.

Ссылки

https://github.com/Sylius/Sylius/releases/tag/v1.10.11
Third Party Advisory
https://github.com/Sylius/Sylius/releases/tag/v1.11.2
Third Party Advisory
https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g
Exploit
Third Party Advisory
https://github.com/Sylius/Sylius/releases/tag/v1.10.11
Third Party Advisory
https://github.com/Sylius/Sylius/releases/tag/v1.11.2
Third Party Advisory
https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9g
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Версия от 1.10.0 (включая) до 1.10.11 (исключая)

cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Версия от 1.11.0 (включая) до 1.11.2 (исключая)

EPSS

Процентиль: 44%

0.00217

Низкий

7.1 High

CVSS3

8.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-613

Связанные уязвимости

GHSA-mf3v-f2qq-pf9g

CVSS3: 7.1

github

почти 4 года назад

Insufficient Session Expiration in Sylius

EPSS

Процентиль: 44%

0.00217

Низкий

7.1 High

CVSS3

8.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-613