Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Advisories: GSA_kwCzR0hTQS01OXFnLTkzamctMjM2Zs4AAxG7
Shopware has Insufficient Session Expiration in Administration
Impact
The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.
Patches
We added an automatic logout into the Administration, so the user will be logged out when they are inactive.
References
Permalink: https://github.com/advisories/GHSA-59qg-93jg-236fSource: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 15 days ago
Updated: 15 days ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-59qg-93jg-236f, CVE-2023-22732
References:
- https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f
- https://nvd.nist.gov/vuln/detail/CVE-2023-22732
- https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
- https://github.com/advisories/GHSA-59qg-93jg-236f
Affected Packages
packagist:shopware/core
Versions: <= 6.4.18.0Fixed in: 6.4.18.1
packagist:shopware/platform
Versions: <= 6.4.18.0Fixed in: 6.4.18.1