GHSA-5297-wrrp-rcj7

Suggest an improvement
Source
https://github.com/advisories/GHSA-5297-wrrp-rcj7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5297-wrrp-rcj7/GHSA-5297-wrrp-rcj7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5297-wrrp-rcj7
Aliases
Published
2024-04-08T15:48:27Z
Modified
2024-04-10T18:57:27.460824Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Shopware Improper Session Handling in store-api account logout
Details

Impact

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Patches

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

Workarounds

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

References

Affected packages

Packagist / shopware/core

Package

Name
shopware/core
Purl
pkg:composer/shopware/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.5.0
Fixed
6.5.8.8

Affected versions

6.*

6.3.5.0
6.3.5.1
6.3.5.2
6.3.5.3
6.3.5.4
6.4.0.0-RC1
6.4.0.0
6.4.1.0
6.4.1.1
6.4.1.2
6.4.2.0
6.4.2.1
6.4.3.0
6.4.3.1
6.4.4.0
6.4.4.1
6.4.5.0
6.4.5.1
6.4.6.0
6.4.6.1
6.4.7.0
6.4.8.0
6.4.8.1
6.4.8.2
6.4.9.0
6.4.10.0
6.4.10.1
6.4.11.0
6.4.11.1
6.4.12.0
6.4.13.0
6.4.14.0
6.4.15.0
6.4.15.1
6.4.15.2
6.4.16.0
6.4.16.1
6.4.17.0
6.4.17.1
6.4.17.2
6.4.18.0
6.4.18.1
6.4.19.0
6.4.20.0
6.4.20.1
6.4.20.2
6.5.0.0-rc1
6.5.0.0-rc2
6.5.0.0-rc3
6.5.0.0-rc4
6.5.0.0

v6.*

v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.2.1
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.4.1
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.5.6.0
v6.5.6.1
v6.5.7.0
v6.5.7.1
v6.5.7.2
v6.5.7.3
v6.5.7.4
v6.5.8.0
v6.5.8.1
v6.5.8.2
v6.5.8.3
v6.5.8.4
v6.5.8.5
v6.5.8.6
v6.5.8.7

Packagist / shopware/platform

Package

Name
shopware/platform
Purl
pkg:composer/shopware/platform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.5.0
Fixed
6.5.8.8

Affected versions

6.*

6.3.5.0
6.3.5.1
6.3.5.2
6.3.5.3
6.3.5.4
6.4.0.0-RC1
6.4.0.0
6.4.1.0
6.4.1.1
6.4.1.2
6.4.2.0
6.4.2.1
6.4.3.0
6.4.3.1
6.4.4.0
6.4.4.1
6.4.5.0
6.4.5.1
6.4.6.0
6.4.6.1
6.4.7.0
6.4.8.0
6.4.8.1
6.4.8.2
6.4.9.0
6.4.10.0
6.4.10.1
6.4.11.0
6.4.11.1
6.4.12.0
6.4.13.0
6.4.14.0
6.4.15.0
6.4.15.1
6.4.15.2
6.4.16.0
6.4.16.1
6.4.17.0
6.4.17.1
6.4.17.2
6.4.18.0
6.4.18.1
6.4.19.0
6.4.20.0
6.4.20.1
6.4.20.2
6.5.0.0-rc1
6.5.0.0-rc2
6.5.0.0-rc3
6.5.0.0-rc4
6.5.0.0

v6.*

v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.2.1
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.4.1
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.5.6.0
v6.5.6.1
v6.5.7.0
v6.5.7.1
v6.5.7.2
v6.5.7.3
v6.5.7.4
v6.5.8.0
v6.5.8.1
v6.5.8.2
v6.5.8.3
v6.5.8.4
v6.5.8.5
v6.5.8.6
v6.5.8.7

Packagist / shopware/core

Package

Name
shopware/core
Purl
pkg:composer/shopware/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0.0-rc1
Fixed
6.6.1.0

Affected versions

v6.*

v6.6.0.0-rc1
v6.6.0.0-rc2
v6.6.0.0-rc3
v6.6.0.0-rc4
v6.6.0.0-rc5
v6.6.0.0-rc6
v6.6.0.0-rc7
v6.6.0.0
v6.6.0.1
v6.6.0.2
v6.6.0.3

Packagist / shopware/platform

Package

Name
shopware/platform
Purl
pkg:composer/shopware/platform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0.0-rc1
Fixed
6.6.1.0

Affected versions

v6.*

v6.6.0.0-rc1
v6.6.0.0-rc2
v6.6.0.0-rc3
v6.6.0.0-rc4
v6.6.0.0-rc5
v6.6.0.0-rc6
v6.6.0.0-rc7
v6.6.0.0
v6.6.0.1
v6.6.0.2
v6.6.0.3