Vulnerability Details : CVE-2022-24892
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
Products affected by CVE-2022-24892
- cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24892
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24892
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST | |
|
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
1.2
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-24892
-
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-24892
-
https://www.shopware.com/en/changelog-sw5/#5-7-9
Shopware ChangelogRelease Notes;Vendor Advisory
-
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
Multiple valid tokens for password reset · Advisory · shopware/shopware · GitHubPatch;Third Party Advisory
-
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
Shopware 5 - Security Updates - Security Update 04/2022Vendor Advisory
Jump to