GHSA-pf38-v6qj-j23h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pf38-v6qj-j23h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-pf38-v6qj-j23h/GHSA-pf38-v6qj-j23h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pf38-v6qj-j23h
- Aliases
-
- CVE-2022-24879
- Published
- 2022-04-28T21:01:53Z
- Modified
- 2023-11-08T04:08:39.296135Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Malfunction of CSRF token validation in Shopware
- Details
-
Impact
The CSRF tokens were not renewed after login and logout. An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand.
Patches
We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9
For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
- Database specific
{ "nvd_published_at": "2022-04-28T15:15:00Z", "github_reviewed_at": "2022-04-28T21:01:53Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
Affected packages
Packagist / shopware/shopware
Package
- Name
- shopware/shopware
- Purl
- pkg:composer/shopware/shopware
Affected versions
v5.*
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.15
v5.2.16
v5.2.17
v5.2.18
v5.2.19
v5.2.20
v5.2.21
v5.2.22
v5.2.23
v5.2.24
v5.2.25
v5.2.26
v5.2.27
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.4.0-RC1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.5.0-BETA1
v5.5.0-RC1
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6
v5.5.7
v5.5.8
v5.5.9
v5.5.10
v5.6.0-RC1
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.6.10
v5.7.0-RC1
v5.7.0-RC2
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.7.8
5.*
5.3.0