Home > Vulnerability Database > CVE-2022-24892

Mend.io Vulnerability Database

CVE-2022-24892

Good to know:

Date: April 28, 2022

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

Language: PHP

Severity Score

7.5

Related Resources (5)

Url: https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4

Url: https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

Url: https://www.shopware.com/en/changelog-sw5/#5-7-9

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-24892

Url: https://www.mend.io/vulnerability-database/CVE-2022-24892

Severity Score

7.5

Weakness Type (CWE)

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version v5.7.9

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-24892

Good to know:

Date: April 28, 2022

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?