CVE-2022-24879
HIGH7.5EPSS 0.14%Malfunction of CSRF token validation in Shopware
Published: 4/28/2022Modified: 11/8/2023
Also known as:GHSA-pf38-v6qj-j23h
Description
### Impact The CSRF tokens were not renewed after login and logout. An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
Affected packages (1)
- Packagist/shopware/shopware>= 5.2.0, < 5.7.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24879
- PATCHhttps://github.com/shopware/shopware
- WEBhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
- WEBhttps://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h
- WEBhttps://www.shopware.com/en/changelog-sw5/#5-7-9