Configured Commerce Security Advisory - COM-2024-06

  • Updated

Brief Description: 

Medium-severity issue was identified in requests for resources where the session token was submit as a URL parameter. This exposes information about the authenticated session which can be leveraged in a session hijack. 

 

Affected Versions: 

All versions prior to 5.2.2408 (STS) and 5.2.2408 (LTS). 

 

Solutions and Mitigations: 
Requests now properly POST session information rather than using GET with access token. This protects session details. 

 

For Users that Cannot Upgrade: 
If you are unable to upgrade the following mitigations are suggested:  

  • Access storefronts from only trusted networks, or use a VPN when on an uncontrolled network. 
  • Avoid sharing of devices where you are processing data within the application.  

 

CVSS and Severity: 
CVSS 5.9, Medium 

 

CVE ID: 
CVE-2025-22387

 

Date Published: 
Dec 13, 2024