CVE-2022-24892
6.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shopware | shopware | >= 5.0.4, < 5.7.9 | affected |
Weaknesses
- CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password
ADP Enrichment
CVE Program Container
Additional References
- https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
- https://www.shopware.com/en/changelog-sw5/#5-7-9
- https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
- https://www.shopware.com/en/changelog-sw5/#5-7-9
- https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.