CVE-2023-22732

CRITICAL Year: 2023
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-613
View all →

Vulnerability Description

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.

Related Vulnerabilities

CVE-2014-2595

CRITICAL
CVSS:9.8(Critical)

Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.

CWE-6132014

CVE-2015-5171

CRITICAL
CVSS:9.8(Critical)

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified imp...

CWE-6132015

CVE-2016-11014

CRITICAL
CVSS:9.8(Critical)

NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.

CWE-6132016

CVE-2016-5069

CRITICAL
CVSS:9.8(Critical)

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.

CWE-6132016

CVE-2016-6545

CRITICAL
CVSS:9.8(Critical)

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this i...

CWE-6132016

CVE-2018-21018

CRITICAL
CVSS:9.8(Critical)

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

CWE-6132018