logo

Database

Insecure session management In shopware/platform

Description

Shopware Improper Session Handling in store-api account logout

Impact

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Patches

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

Workarounds

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-314472. NVD-2024-314473. OSV-2024-314474. GHSA-5297-wrrp-rcj75. GCVE-2024-31447

References

1. https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj72. https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a773. https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.