CVE-2024-31447
CVSS V2 None
CVSS V3 None
Description
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.
Overview
- CVE ID
- CVE-2024-31447
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-04-08T15:39:29.678Z
- Last Modified Date
- 2024-04-08T15:48:24.047Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7 | x_refsource_CONFIRM |
| https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77 | x_refsource_MISC |
| https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-31447 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31447 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-24 00:08:50 | Added to TrackCVE |