GitHub_MCVELIST:CVE-2022-24742CVE-2022-24742 Exposure of Sensitive Information Due to Incompatible Policies in Sylius
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
32.0%
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
CNA Affected
[
{
"product": "Sylius",
"vendor": "Sylius",
"versions": [
{
"status": "affected",
"version": "< 1.9.10"
},
{
"status": "affected",
"version": ">= 1.10.0, < 1.10.11"
},
{
"status": "affected",
"version": ">= 1.11.0, < 1.11.2"
}
]
}
]Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
32.0%