Configured Commerce Security Advisory - COM-2024-04

  • Updated

Brief Description:

A medium-severity session issue was discovered in the Commerce B2B application, affecting the longevity of active sessions in the storefront. The vulnerability allowed session tokens tied to logged-out sessions to still be active and usable.

 

Affected Versions:

All versions before 5.2.2408 (STS) and 5.2.2408 (LTS).

 

Solutions and Mitigations: 

Sessions that are logged out of on Commerce storefronts are now invalidated on the server side. This prevents the re-use of sessions that should no longer be active. This has been fixed in 5.2.2408 (STS) and 5.2.2408 (LTS).

 

For Users that Cannot Upgrade: 

If you are unable to upgrade, the following mitigations are suggested:

  • Access storefronts from only trusted networks or use a VPN when on an uncontrolled network.
  • Avoid sharing devices where you are processing data within the application.

 

CVSS and Severity: 

CVSS 5.9, Medium

 

CVE ID: 

CVE-2025-22386

 

Date Published: 

Dec 13, 2024