Guest session is shared between customers in shopware
CVE-2022-24745

4.8MEDIUM

Key Information:

Vendor: Shopware
Status: Platform
Vendor: CVE Published:; 9 March 2022

What is CVE-2022-24745?

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.

Affected Version(s)

platform < 6.4.8.2

References

https://github.com/shopware/platform/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2022
Vulnerability Reserved
Feb 10, 2022