Lucene search
Veracode Vulnerability DatabaseVERACODE:35325HistoryApr 29, 2022 - 5:51 a.m.
Information Disclosure
2022-04-2905:51:11
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
6
0.003 Low
EPSS
Percentile
66.4%
shopware/shopware is vulnerable to information disclosure. The vulnerability exists in Account.php because multiple tokens requests are allowed and the generated tokens are not properly validated during a password reset which allows an attacker to gain access to user’s email account and token information.
| CPE | Name | Operator | Version |
|---|---|---|---|
| shopware/shopware | le | 1.0.8 | |
| shopware/shopware | le | v5.7.8 | |
| shopware/shopware | le | 1.0.8 | |
| shopware/shopware | le | v5.7.8 |
References
docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
github.com/shopware/shopware/blob/1.0.8/engine/Shopware/Controllers/Frontend/Account.php#L502-L514
github.com/shopware/shopware/commit/4f511964c6f721387a7713238155f028898eda17
github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4
www.shopware.com/en/changelog-sw5/#5-7-9
Related
prion
prion
Default credentials
2022-04-28 15:15:00
osv
osv
Multiple valid tokens for password reset in Shopware
2022-04-28 21:02:17
cvelist
cvelist
CVE-2022-24892 Multiple valid tokens for password reset in Shopware
2022-04-28 14:20:12
nvd
nvd
CVE-2022-24892
2022-04-28 15:15:10
github
github
Multiple valid tokens for password reset in Shopware
2022-04-28 21:02:17
cve
cve
CVE-2022-24892
2022-04-28 15:15:10