Exposure of Sensitive Information Due to Incompatible Policies in Sylius
CVE-2022-24742

5MEDIUM

Key Information:

Vendor

Sylius

Status
Sylius
Vendor
CVE Published:
14 March 2022

What is CVE-2022-24742?

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.

Affected Version(s)

Sylius < 1.9.10 < 1.9.10

Sylius >= 1.10.0, < 1.10.11 < 1.10.0, 1.10.11

Sylius >= 1.11.0, < 1.11.2 < 1.11.0, 1.11.2

References

https://github.com/Sylius/Sylius/releases/tag/v1.10.11
x_refsource_MISC
https://github.com/Sylius/Sylius/releases/tag/v1.11.2
x_refsource_MISC
https://github.com/Sylius/Sylius/releases/tag/v1.9.10
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.