Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01Mjk3LXdycnAtcmNqN84AA6ui

Shopware Improper Session Handling in store-api account logout

Impact

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Patches

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

Workarounds

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

Permalink: https://github.com/advisories/GHSA-5297-wrrp-rcj7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Mjk3LXdycnAtcmNqN84AA6ui
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 26 days ago
Updated: 26 days ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Identifiers: GHSA-5297-wrrp-rcj7, CVE-2024-31447
References:

Repository: https://github.com/shopware/shopware
Blast Radius: 13.1

Affected Packages

packagist:shopware/platform

Dependent packages: 6
Dependent repositories: 38
Downloads: 1,117,480 total
Affected Version Ranges: >= 6.6.0.0-rc1, < 6.6.1.0, >= 6.3.5.0, < 6.5.8.8
Fixed in: 6.6.1.0, 6.5.8.8
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions:

packagist:shopware/core

Dependent packages: 163
Dependent repositories: 298
Downloads: 2,463,943 total
Affected Version Ranges: >= 6.6.0.0-rc1, < 6.6.1.0, >= 6.3.5.0, < 6.5.8.8
Fixed in: 6.6.1.0, 6.5.8.8
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions: