Headline
GHSA-3867-jc5c-66qf: Broken Access Control order API in Shopware
Impact
In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking ‘write’ permissions for orders are still able to change the order state.
Patches
Update to Shopware 6.5.7.4
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-22407
Broken Access Control order API in Shopware
Moderate severity GitHub Reviewed Published Jan 16, 2024 in shopware/shopware • Updated Jan 17, 2024
Package
composer shopware/core (Composer)
Affected versions
<= 6.5.7.3
Description
Impact
In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking ‘write’ permissions for orders are still able to change the order state.
Patches
Update to Shopware 6.5.7.4
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
References
- GHSA-3867-jc5c-66qf
- https://nvd.nist.gov/vuln/detail/CVE-2024-22407
- shopware/core@7814248
- shopware/shopware@fb25e24
Published to the GitHub Advisory Database
Jan 17, 2024
Last updated
Jan 17, 2024