CVE-2022-24743

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24743

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24743.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24743

Aliases

GHSA-mf3v-f2qq-pf9g

Withdrawn

2024-05-15T05:33:29.497306Z

Published

2022-03-14T21:15:07Z

Modified

2023-11-08T04:08:34.760416Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

[none]

Details

Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.

References

Affected packages

Git / github.com/sylius/sylius

Affected ranges

Type: GIT
Repo: https://github.com/sylius/sylius
Events: Introduced

d8a10279adea6a11039f2aeef37bc2cbc686c971

Fixed

c1f4588f8817e42a9bbdc1d1c14b188bd53d79e8

Introduced

a367bc010cbee9fdf491dc76397198231f14ab63