CVE-2022-24744

low-risk
Published 2022-03-09

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.6/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Shopware

References (2)

Patch https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555
Patch https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555
16
/ 100
low-risk
Severity 10/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal