CVE-2022-24892

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
GitHub_MCNA
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
shopwareshopware
5.0.4 ≤
𝑥
< 5.7.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
https://www.shopware.com/en/changelog-sw5/#5-7-9
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
https://www.shopware.com/en/changelog-sw5/#5-7-9