fkie_cve-2022-24742
Vulnerability from fkie_nvd
Published
2022-03-14 20:15
Modified
2024-11-21 06:50
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.
References
security-advisories@github.comhttps://github.com/Sylius/Sylius/releases/tag/v1.10.11Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/Sylius/Sylius/releases/tag/v1.11.2Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/Sylius/Sylius/releases/tag/v1.9.10Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5pMitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Sylius/Sylius/releases/tag/v1.10.11Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Sylius/Sylius/releases/tag/v1.11.2Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Sylius/Sylius/releases/tag/v1.9.10Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5pMitigation, Third Party Advisory
Impacted products
Vendor Product Version
sylius sylius *
sylius sylius *
sylius sylius *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2B404E6-8985-428A-A7C4-880A4947766B",
              "versionEndExcluding": "1.9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "687E9BB6-A926-4A62-B44E-7A1B236D6C6F",
              "versionEndExcluding": "1.10.11",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4D032BB-B314-42A5-808D-5861B909F76F",
              "versionEndExcluding": "1.11.2",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content."
    },
    {
      "lang": "es",
      "value": "Sylius es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 1.9.10, 1.10.11 y 1.11.2, cualquier otro usuario pod\u00eda visualizar los datos si la pesta\u00f1a del navegador permanec\u00eda sin cerrar despu\u00e9s de cerrar la sesi\u00f3n. El problema ha sido solucionado en versiones 1.9.10, 1.10.11 y 1.11.2. Se presenta una medida de mitigaci\u00f3n disponible. La aplicaci\u00f3n debe redirigir estrictamente a la p\u00e1gina de inicio de sesi\u00f3n incluso si es pulsado el bot\u00f3n de retroceso del navegador. Otra posibilidad es establecer pol\u00edticas de cach\u00e9 m\u00e1s estrictas para el contenido restringido"
    }
  ],
  "id": "CVE-2022-24742",
  "lastModified": "2024-11-21T06:50:59.840",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-14T20:15:08.683",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.10.11"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.11.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.