CVE-2022-24740

Name of the Vulnerable Software and Affected Versions Volto versions 14.0.0-alpha.5 through 15.0.0-alpha.0

Description The issue occurs when using an outdated version of the react-cookie library and a server is under high load, allowing a user's authentication cookie to be replaced with another user's, effectively giving them control of the other user's account and privileges. Although a proof of concept does not currently exist, it is possible for this issue to occur in the wild.

Recommendations For Volto versions 14.0.0-alpha.5 through 15.0.0-alpha.0, upgrade to Volto 15.0.0-alpha.0 or later to resolve the issue. As a temporary workaround, manually upgrade the react-cookie package to 4.1.1 and override all Volto components that use this library.