How severe is CVE-2022-24740?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2022-24740?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2022-24740 - HIGH Severity | CVSS 7.5

Vulnerability Description

Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.

Related Vulnerabilities

CVE-2002-2438

HIGH

CVSS:7.5(High)

TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.

CWE-2872002

CVE-2009-0130

HIGH

CVSS:7.5(High)

lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate cha...

CWE-2872009

CVE-2011-2054

HIGH

CVSS:7.5(High)

A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is ...

CWE-2872011

CVE-2012-3824

HIGH

CVSS:7.5(High)

In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization.

CWE-2872012

CVE-2013-1391

HIGH

CVSS:7.5(High)

Authentication bypass vulnerability in the the web interface in Hunt CCTV, Capture CCTV, Hachi CCTV, NoVus CCTV, and Well-Vision Inc DVR systems allows a remote attacker to retrieve the device configu...

CWE-2872013

CVE-2013-2569

HIGH

CVSS:7.5(High)

A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to...

CWE-2872013