Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01OXFnLTkzamctMjM2Zs4AAxG7

Shopware has Insufficient Session Expiration in Administration

Impact

The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.

Patches

We added an automatic logout into the Administration, so the user will be logged out when they are inactive.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Permalink: https://github.com/advisories/GHSA-59qg-93jg-236f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OXFnLTkzamctMjM2Zs4AAxG7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-59qg-93jg-236f, CVE-2023-22732
References:

• https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f
• https://nvd.nist.gov/vuln/detail/CVE-2023-22732
• https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6
• https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
• https://github.com/advisories/GHSA-59qg-93jg-236f

Repository: https://github.com/shopware/platform
Blast Radius: 9.2

Affected Packages