Home > Vulnerability Database > CVE-2022-24740

Mend.io Vulnerability Database

CVE-2022-24740

Good to know:

Date: March 14, 2022

Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-24740

Url: https://github.com/plone/volto/pull/3051

Url: https://www.mend.io/vulnerability-database/CVE-2022-24740

Severity Score

7.5

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version @plone/volto - 15.0.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-24740

Good to know:

Date: March 14, 2022

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?