CVE-2022-24743
Last modified
CVE-2022-24743 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. EPSS estimates a 1.23% chance of exploitation in the next 30 days.
Description
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sylius | Sylius | >= 1.10.0, < 1.10.11 |
| Sylius | Sylius | >= 1.11.0, < 1.11.2 |
References
- https://github.com/Sylius/Sylius/releases/tag/v1.10.11Third Party Advisory
- https://github.com/Sylius/Sylius/releases/tag/v1.11.2Third Party Advisory
- https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9gExploit, Third Party Advisory
- https://github.com/Sylius/Sylius/releases/tag/v1.10.11Third Party Advisory
- https://github.com/Sylius/Sylius/releases/tag/v1.11.2Third Party Advisory
- https://github.com/Sylius/Sylius/security/advisories/GHSA-mf3v-f2qq-pf9gExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-24743?
How severe is CVE-2022-24743?
How do I fix CVE-2022-24743?
Are you affected by CVE-2022-24743?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST