CVE-2024-31447

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Apr 8, 2024

CWE ID 613

Summary

CVE-2024-31447 affects Shopware 6 versions prior to 6.6.1.0 and 6.5.8.8, which use the Symfony Framework and Vue. In these versions, an authenticated user can make a POST request to `/store-api/account/logout`, causing the cart to be cleared but failing to log the user out. This vulnerability only impacts direct store-api usage, as Shopware also listens for the `CustomerLogoutEvent` and invalidates the session accordingly. The issue has been resolved in Shopware 6.6.1.0 and 6.5.8.8. Users unable to update can install the latest version of the Shopware Security Plugin as a temporary workaround.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/vRW4Td
https://www.cve.org/CVERecord?id=CVE-2024-31447
https://nvd.nist.gov/vuln/detail/CVE-2024-31447

Back to Vulnerability Database

CVE-2024-31447

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations