CVE-2022-24743: 
PHP vulnerability analysis and mitigation

CVE-2022-24743 affects Sylius, an open source eCommerce platform, in versions prior to 1.10.11 and 1.11.2. The vulnerability was discovered and disclosed in March 2022, where the reset password token was not being set to null after a password change (GitHub Advisory).

The vulnerability is classified as CWE-613 (Insufficient Session Expiration) with a CVSS v3.1 base score of 8.2 (HIGH) according to NVD assessment (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). The core issue lies in the password reset functionality where the reset token remains valid even after a successful password change (NVD).

The vulnerability allows the same password reset token to be used multiple times, potentially leading to unauthorized password changes if the token is leaked. This creates a significant security risk as it could allow attackers to maintain persistent access to password reset functionality (GitHub Advisory).

The vulnerability has been patched in Sylius versions 1.10.11 and 1.11.2. For users unable to update immediately, a workaround is available by overwriting the Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class and registering it in the container with specific code provided by the maintainers (GitHub Advisory, Sylius Release).