CVE-2022-24892

low-risk
Published 2022-04-28

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Shopware

References (6)

Vendor Advisory https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2...
Patch https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
Release Notes https://www.shopware.com/en/changelog-sw5/#5-7-9
Vendor Advisory https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2...
Patch https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
Release Notes https://www.shopware.com/en/changelog-sw5/#5-7-9
26
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal