CVE-2024-31447 — Insufficient Session Expiration in Shopware

CWE-613 — Insufficient Session Expiration3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 62.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedApr 8

Description

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Tho…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

▶Packagistshopware/platform6.3.5.0 — 6.5.8.8+1

▶Packagistshopware/core6.3.5.0 — 6.5.8.8+1

▶NVDshopware/shopware6.3.5.0 — 6.5.8.8+1

▶CVEListV5shopware/shopware>= 6.3.5.0, < 6.5.8.8, >= 6.6.0.0-rc1, < 6.6.1.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Shopware Improper Session Handling in store-api account logout↗2024-04-08

▶

GHSA

Shopware Improper Session Handling in store-api account logout↗2024-04-08

▶