Skip to main content

Insufficient Session Expiration

CVE-2022-23063

Severity High
Score 8.8/10

Summary

Shopizer versions from 2.3.0 and prior to 3.2.0 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

Advisory Timeline

  • Published