Skip to main content

Sylius CVE-2022-24742

MEDIUM
Information Exposure (CWE-200)
2022-03-14 security-advisories@github.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 14, 2022 - 20:15 nvd
MEDIUM 5.5

DescriptionNVD

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.

AnalysisAI

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content. Affected products include: Sylius.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Sylius

View all
CVE-2024-57610 HIGH POC
7.5 Feb 06

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user acco

CVE-2022-24743 HIGH POC
8.2 Mar 14

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable,

CVE-2024-29376 MEDIUM POC
6.4 Apr 22

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severi

CVE-2022-24749 MEDIUM POC
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2026-31824 HIGH
8.2 Mar 10

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where conc

CVE-2026-31820 MEDIUM
6.5 Mar 10

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated

CVE-2026-31819 MEDIUM
6.1 Mar 10

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitra

CVE-2026-31822 MEDIUM
6.1 Mar 10

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentica

CVE-2022-24733 MEDIUM
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2026-31821 MEDIUM
5.3 Mar 10

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to a

CVE-2026-31825 MEDIUM
5.3 Mar 10

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.

CVE-2021-32720 MEDIUM
5.3 Jun 28

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is r

Share

CVE-2022-24742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy