CVE-2022-24742 is a vulnerability identified in the Sylius open-source eCommerce platform affecting versions prior to 1.9.10, versions from 1.10.0 up to but not including 1.10.11, and versions from 1.11.0 up to but not including 1.11.2. The vulnerability is categorized under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The core issue arises when a user logs out of the Sylius application but leaves the browser tab open. Due to insufficient session handling and caching policies, another user who accesses the same browser session (for example, the next person using the device or a malicious actor with local access) can view sensitive data that should have been protected post-logout. This occurs because the application does not enforce a strict redirect to the login page when the browser's back button is pressed after logout, nor does it implement sufficiently strict cache-control headers to prevent the browser from displaying cached restricted content. The vulnerability does not require authentication or complex exploitation techniques; it exploits the browser's behavior in handling cached pages and session state. The issue was addressed in Sylius versions 1.9.10, 1.10.11, and 1.11.2 by enforcing proper redirection and cache policies. No known exploits have been reported in the wild, but the risk remains for environments using affected versions without patches or workarounds. The vulnerability primarily risks confidentiality by exposing potentially sensitive user or transactional data to unauthorized viewers, especially in shared or public computer scenarios.

For European organizations using Sylius as their eCommerce platform, this vulnerability could lead to unauthorized disclosure of sensitive customer information, including personal data, order details, and possibly payment-related information if such data is displayed on cached pages. This exposure can result in privacy violations under GDPR regulations, leading to legal and financial repercussions. The risk is heightened in environments where devices are shared among multiple users, such as retail points of sale, call centers, or public terminals. Although the vulnerability does not directly allow remote attackers to access data, the local exposure risk can facilitate insider threats or opportunistic data leaks. The integrity and availability of the system are not directly impacted; however, the loss of confidentiality can damage customer trust and brand reputation. Organizations in sectors with high eCommerce reliance, such as retail, travel, and digital services, may face increased risk. Additionally, failure to remediate could attract regulatory scrutiny in Europe due to the sensitivity of exposed data and the strict data protection laws in place.

European organizations should prioritize upgrading Sylius installations to versions 1.9.10, 1.10.11, or 1.11.2 or later to fully remediate the vulnerability. Until upgrades are applied, implement strict cache-control headers (e.g., Cache-Control: no-store, no-cache, must-revalidate) on all pages containing sensitive information to prevent browsers from caching restricted content. Additionally, configure the application to enforce a redirect to the login page upon logout and when the back button is pressed, ensuring that no sensitive pages are accessible post-logout. Organizations should also educate users about the risks of leaving browser tabs open after logout, especially on shared devices. For environments with shared or public terminals, consider implementing session timeouts and automatic logout features. Regularly audit web server and application configurations to verify that cache policies and session management adhere to best practices. Monitoring for unusual access patterns or local access attempts can help detect potential exploitation attempts. Finally, document and test these mitigations as part of the organization's security policies and incident response plans.