Headline
GHSA-5297-wrrp-rcj7: Shopware Improper Session Handling in store-api account logout
Impact
When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won’t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.
Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.
Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-31447
Shopware Improper Session Handling in store-api account logout
Moderate severity GitHub Reviewed Published Apr 8, 2024 in shopware/shopware • Updated Apr 8, 2024
Package
composer shopware/core (Composer)
Affected versions
>= 6.3.5.0, < 6.5.8.8
>= 6.6.0.0-rc1, < 6.6.1.0
Patched versions
6.5.8.8
6.6.1.0
>= 6.3.5.0, < 6.5.8.8
>= 6.6.0.0-rc1, < 6.6.1.0
Impact
When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won’t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.
Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.
Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.
References
- GHSA-5297-wrrp-rcj7
- shopware/shopware@5cc84dd
- shopware/shopware@d29775a
Published to the GitHub Advisory Database
Apr 8, 2024