CVE-2024-31447

MEDIUM EPSS 38.9%
Published Apr 8, 20242y ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Apr 8, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.

CVSS Details

Base Score
5.3
Exploitability
1.6
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
38.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-613

Affected Products 2

VendorProductVersionRange
shopwareshopware*≥6.3.5.0  –  <6.5.8.8
shopwareshopware*≥6.6.0.0  –  <6.6.1.0

References 3

  • github.com https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77
    Patch
  • github.com https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3
    Patch
  • github.com https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7
    Vendor Advisory

Remediation

  • github.com https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77
    Patch
  • github.com https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3
    Patch