SCA: security update for @plone/volto (GHSA-cfhh-xgwq-5r67)

high Tenable Cloud Security Plugin ID 413861

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5
and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie
from another user, effectively giving them control of the other user's account and privileges. This occurs
when using an outdated version of the `react-cookie` library and a server is under high load. A proof of
concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and
fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie`
package to 4.1.1 and then override all Volto components that use this library. (CVE-2022-24740)

See Also

https://github.com/advisories/GHSA-cfhh-xgwq-5r67

Plugin Details

Severity: High

ID: 413861

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2022-24740

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2022

Vulnerability Publication Date: 3/14/2022

Reference Information

CVE: CVE-2022-24740

cwe: CWE-287