Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01Mjk3LXdycnAtcmNqN84AA6ui
Shopware Improper Session Handling in store-api account logout
Impact
When a authentificated request is made to POST /store-api/account/logout
, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent
and invalidates the session additionally.
Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.
Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.
Permalink: https://github.com/advisories/GHSA-5297-wrrp-rcj7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Mjk3LXdycnAtcmNqN84AA6ui
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 26 days ago
Updated: 26 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-5297-wrrp-rcj7, CVE-2024-31447
References:
- https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7
- https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77
- https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3
- https://nvd.nist.gov/vuln/detail/CVE-2024-31447
- https://github.com/advisories/GHSA-5297-wrrp-rcj7
Blast Radius: 13.1
Affected Packages
packagist:shopware/platform
Dependent packages: 6Dependent repositories: 38
Downloads: 1,117,480 total
Affected Version Ranges: >= 6.6.0.0-rc1, < 6.6.1.0, >= 6.3.5.0, < 6.5.8.8
Fixed in: 6.6.1.0, 6.5.8.8
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions:
packagist:shopware/core
Dependent packages: 163Dependent repositories: 298
Downloads: 2,463,943 total
Affected Version Ranges: >= 6.6.0.0-rc1, < 6.6.1.0, >= 6.3.5.0, < 6.5.8.8
Fixed in: 6.6.1.0, 6.5.8.8
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions: