Cart Clearing Issue in Shopware 6.3.5.0 and Prior Versions
CVE-2024-31447

5.3MEDIUM

Key Information:

Vendor

Shopware

Status
Shopware
Vendor
CVE Published:
8 April 2024

What is CVE-2024-31447?

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.

Affected Version(s)

shopware >= 6.3.5.0, < 6.5.8.8 < 6.3.5.0, 6.5.8.8

shopware >= 6.6.0.0-rc1, < 6.6.1.0 < 6.6.0.0-rc1, 6.6.1.0

References

https://github.com/shopware/shopware/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/shopware/commit/5cc84ddd817ad...
x_refsource_MISC
https://github.com/shopware/shopware/commit/d29775aa758f7...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.