CVE-2024-22407Improper Access Control in Shopware

CWE-284Improper Access Control3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 70.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ShopwareShopware CoreShopware Platform
Timeline
PublishedJan 16
Latest updateJan 17

Description

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Packagistshopware/platform< 6.5.7.4
Packagistshopware/core< 6.5.7.4
NVDshopware/shopware< 6.5.7.4

🔴Vulnerability Details

2
OSV
Broken Access Control order API in Shopware2024-01-17
GHSA
Broken Access Control order API in Shopware2024-01-17