CVE-2022-24892

MEDIUM

Shopware < 5.7.9 - Password Reset Weakness

Title source: rule

Description

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

References (3)

[Vendor Advisory] https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

[Release Notes, Vendor Advisory] https://www.shopware.com/en/changelog-sw5/#5-7-9

[Patch, Third Party Advisory] https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4

Scores

CVSS v3 6.4

EPSS 0.0029

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-640

Status published

Products (2)

shopware/shopware 5.0.4 - 5.7.9

shopware/shopware 5.0.4 - 5.7.9Packagist

Published Apr 28, 2022

Tracked Since Feb 18, 2026