CVE-2022-24742: 
PHP vulnerability analysis and mitigation

CVE-2022-24742 affects Sylius, an open source eCommerce platform. The vulnerability was discovered in versions prior to 1.9.10, 1.10.11, and 1.11.2, where sensitive data remains accessible if a browser tab is left open after user logout. The issue was disclosed on March 14, 2022, and was fixed in versions 1.9.10, 1.10.11, and 1.11.2 (GitHub Release, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. It is categorized under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue occurs when a user logs out but leaves the browser tab open, allowing potential attackers to use the browser's back button to view previously accessed content (NVD).

The vulnerability could lead to unauthorized access to sensitive information such as customer details and payment gateway configurations, but only for pages previously viewed by the administrator. While no active actions can be performed through this exposure, and any page refresh would block further access, it presents a significant data leak risk (GitHub Advisory).

The vulnerability has been patched in Sylius versions 1.9.10, 1.10.11, and 1.11.2. For unpatched systems, two workarounds are available: 1) Configure the application to strictly redirect to the login page when the browser back button is pressed, or 2) Implement more strict cache policies for restricted content by setting no-store cache control directives. These can be implemented through custom event subscribers and section resolvers (GitHub Advisory).