Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-59qg-93jg-236f: Shopware has Insufficient Session Expiration in Administration

Impact

The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.

Patches

We added an automatic logout into the Administration, so the user will be logged out when they are inactive.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

ghsa
Open in Source
#git

Shopware has Insufficient Session Expiration in Administration

Low severity GitHub Reviewed Published Jan 20, 2023 in shopware/platform • Updated Jan 20, 2023

Related news

CVE-2023-22732: Shopware 6 - Security Updates

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa