CVE-2022-24742

Exposure of Sensitive Information Due to Incompatible Policies in Sylius

Description

Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must strictly redirect to login page even browser back button is pressed. Another possibility is to set more strict cache policies for restricted content.

References

Link	Tags
https://github.com/Sylius/Sylius/releases/tag/v1.10.11	third party advisory release notes
https://github.com/Sylius/Sylius/releases/tag/v1.11.2	third party advisory release notes
https://github.com/Sylius/Sylius/releases/tag/v1.9.10	third party advisory release notes
https://github.com/Sylius/Sylius/security/advisories/GHSA-7563-75j9-6h5p	mitigation third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-24742?: CVE-2022-24742 has been scored as a medium severity vulnerability.
How to fix CVE-2022-24742?: To fix CVE-2022-24742, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-24742 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-24742 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-24742?: CVE-2022-24742 affects Sylius Sylius.

Description

Categories

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-668 – Exposure of Resource to Wrong Sphere

References

Frequently Asked Questions