CVE-2024-31447
Last modified
CVE-2024-31447 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shopware | Shopware | >= 6.3.5.0, < 6.5.8.8 |
| Shopware | Shopware | >= 6.6.0.0, < 6.6.1.0 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-31447?
How severe is CVE-2024-31447?
How do I fix CVE-2024-31447?
Are you affected by CVE-2024-31447?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST