Skip to main content

Sylius CVE-2022-24743

HIGH
Insufficient Session Expiration (CWE-613)
2022-03-14 security-advisories@github.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 14, 2022 - 21:15 nvd
HIGH 8.2

DescriptionNVD

Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.

AnalysisAI

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-613. Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory. Affected products include: Sylius.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Sylius

View all
CVE-2024-57610 HIGH POC
7.5 Feb 06

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user acco

CVE-2024-29376 MEDIUM POC
6.4 Apr 22

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severi

CVE-2022-24749 MEDIUM POC
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2026-31824 HIGH
8.2 Mar 10

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where conc

CVE-2026-31820 MEDIUM
6.5 Mar 10

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated

CVE-2026-31819 MEDIUM
6.1 Mar 10

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitra

CVE-2026-31822 MEDIUM
6.1 Mar 10

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentica

CVE-2022-24733 MEDIUM
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2022-24742 MEDIUM
5.5 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication r

CVE-2026-31821 MEDIUM
5.3 Mar 10

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to a

CVE-2026-31825 MEDIUM
5.3 Mar 10

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.

CVE-2021-32720 MEDIUM
5.3 Jun 28

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is r

Share

CVE-2022-24743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy