PT-2023-18674 · Shopware · Shopware
Shyim
·
Published
2023-01-17
·
Updated
2023-01-25
·
CVE-2023-22732
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Shopware versions prior to 6.4.18.1
Description
The Administration session expiration was set to one week, allowing an attacker who has stolen the session cookie to use it for a long period. An automatic logout into the Administration session has been added in version 6.4.18.1, logging out inactive users.
Recommendations
For versions prior to 6.4.18.1, upgrade to version 6.4.18.1 or later to add an automatic logout feature for inactive Administration sessions.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shopware