CVE-2022-23063
📋 TL;DR
This vulnerability allows users who were already logged into Shopizer to maintain access even after their password has been changed, either by themselves or an administrator. This affects Shopizer e-commerce platform users and administrators who rely on password changes for security. The insufficient session expiration means compromised accounts may remain accessible to attackers.
💻 Affected Systems
- Shopizer
📦 What is this software?
Shopizer by Shopizer
⚠️ Risk & Real-World Impact
Worst Case
An attacker who gains temporary access to a user account maintains persistent access even after the legitimate user changes their password, potentially leading to data theft, unauthorized purchases, or administrative compromise.
Likely Case
Users who change passwords for security reasons remain vulnerable to previous session hijacking, allowing unauthorized access to personal data and order history.
If Mitigated
With proper session invalidation controls, password changes immediately terminate all existing sessions, limiting the window for unauthorized access.
🎯 Exploit Status
Exploitation requires an existing authenticated session, making it straightforward for attackers with initial access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.2 and later
Vendor Advisory: https://github.com/shopizer-ecommerce/shopizer/security/advisories
Restart Required: Yes
Instructions:
1. Backup your Shopizer installation and database. 2. Update to Shopizer version 3.0.2 or later. 3. Restart the application server. 4. Verify sessions are properly invalidated after password changes.
🔧 Temporary Workarounds
Manual Session Invalidation
allImplement custom session management to invalidate all sessions when passwords are changed.
Modify authentication logic to clear session tokens on password change events
🧯 If You Can't Patch
- Implement forced logout for all users after password changes through administrative controls
- Monitor for suspicious activity from old session tokens and manually terminate sessions
🔍 How to Verify
Check if Vulnerable:
Test by logging into Shopizer, changing the password in another browser/tab, then attempting to use the original session - if it remains active, the system is vulnerable.Check Version:
Check the Shopizer version in the application's admin panel or configuration files.Verify Fix Applied:
After patching, repeat the vulnerable test - original sessions should be immediately terminated upon password change.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same user after password change events
- Session tokens remaining active beyond password reset timestamps
Network Indicators:
- Unusual session duration patterns
- Authentication requests from old session tokens after password changes
SIEM Query:
source="shopizer" AND (event="password_change" OR event="password_reset") | stats count by user, session_id | where count > 1🔗 References
- https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063
- https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063
