CVE-2022-24742

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.10, 1.10.11, and 1.11.2

Description The issue allows any other user to view the data if the browser tab remains open after logging out. This can lead to a data leak, such as customer details or payment gateway configuration, if these pages were previously accessed by the administrator. The vulnerability requires full access to the computer to take advantage of it.

Recommendations For versions prior to 1.9.10, 1.10.11, and 1.11.2, update to version 1.9.10, 1.10.11, or 1.11.2 to fix the issue. As a temporary workaround, consider implementing a strict redirect to the login page even when the browser back button is pressed. Another possibility is to set more strict cache policies for restricted content, such as 'no-store', by using a custom CacheControlSubscriber class.