Insufficient Session Expiration in Administration in shopware
CVE-2023-22732

3.7LOW

Key Information:

Vendor

Shopware

Status
Platform
Vendor
CVE Published:
17 January 2023

What is CVE-2023-22732?

Shopware, an open-source commerce platform, has a vulnerability in its administration session management where the session expiration was initially set to one week. This design flaw allows an attacker who has stolen the session cookie to maintain access for an extended period. To mitigate this risk, version 6.4.18.1 introduces automatic logout functionality that invalidates the session upon user inactivity. Users are strongly urged to upgrade to this version as there are no available workarounds for this issue.

Affected Version(s)

platform < 6.4.18.1

References

https://github.com/shopware/platform/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/platform/commit/cd7a89cbcd3a0...
x_refsource_MISC
https://docs.shopware.com/en/shopware-6-en/security-updat...
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.