CVE-2024-31447 – shopware/platform

Package

Manager: composer
Name: shopware/platform
Vulnerable Version: >=6.3.5.0 <6.5.8.8 || >=6.6.0.0-rc1 <6.6.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00075 pctl0.23154

Details

Shopware Improper Session Handling in store-api account logout ### Impact When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. ### Patches The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8. ### Workarounds When you are not able to update, you can install the latest version of the Shopware Security Plugin.

Metadata

Created: 2024-04-08T15:48:27Z
Modified: 2024-04-08T18:34:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5297-wrrp-rcj7/GHSA-5297-wrrp-rcj7.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-5297-wrrp-rcj7
Finding: F076
Auto approve: 1