Brief Description:
A medium-severity session issue was discovered in the Commerce B2B application, affecting the longevity of active sessions in the storefront. The vulnerability allowed session tokens tied to logged-out sessions to still be active and usable.
Affected Versions:
All versions before 5.2.2408 (STS) and 5.2.2408 (LTS).
Solutions and Mitigations:
Sessions that are logged out of on Commerce storefronts are now invalidated on the server side. This prevents the re-use of sessions that should no longer be active. This has been fixed in 5.2.2408 (STS) and 5.2.2408 (LTS).
For Users that Cannot Upgrade:
If you are unable to upgrade, the following mitigations are suggested:
- Access storefronts from only trusted networks or use a VPN when on an uncontrolled network.
- Avoid sharing devices where you are processing data within the application.
CVSS and Severity:
CVSS 5.9, Medium
CVE ID:
CVE-2025-22386
Date Published:
Dec 13, 2024
Please sign in to leave a comment.