CVE-2024-31447

MEDIUM

Shopware < 6.5.8.8 - Insufficient Session Expiration

Title source: rule

Description

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.

References (3)

[Vendor Advisory] https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7

[Patch] https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77

View Patch ZIP pw:eip

[Patch] https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3

Scores

CVSS v3 5.3

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (3)

shopware/core 6.3.5.0 - 6.5.8.8Packagist

shopware/platform 6.3.5.0 - 6.5.8.8Packagist

shopware/shopware 6.3.5.0 - 6.5.8.8

Published Apr 08, 2024

Tracked Since Feb 18, 2026