CVE-2022-24892

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24892

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24892.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-24892

Aliases

GHSA-3qrq-r688-vvh4

Published

2022-04-28T14:20:12Z

Modified

2025-10-13T04:35:44Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Multiple valid tokens for password reset in Shopware

Details

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "5.0.4"
            },
            {
                "fixed": "5.7.9"
            }
        ],
        "type": ""
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24892.json"