Brief Description:
Medium-severity issue was identified in requests for resources where the session token was submit as a URL parameter. This exposes information about the authenticated session which can be leveraged in a session hijack.
Affected Versions:
All versions prior to 5.2.2408 (STS) and 5.2.2408 (LTS).
Solutions and Mitigations:
Requests now properly POST session information rather than using GET with access token. This protects session details.
For Users that Cannot Upgrade:
If you are unable to upgrade the following mitigations are suggested:
- Access storefronts from only trusted networks, or use a VPN when on an uncontrolled network.
- Avoid sharing of devices where you are processing data within the application.
CVSS and Severity:
CVSS 5.9, Medium
CVE ID:
CVE-2025-22387
Date Published:
Dec 13, 2024
Please sign in to leave a comment.