Mdanilowicz

**Name of the Vulnerable Software and Affected Versions** Shopware 6 versions 6.3.5.0 through 6.6.1.0 and prior to 6.5.8.8 can be simplified to: Shopware 6 versions 6.3.5.0 through 6.6.0 and versions 6.5.0 through 6.5.8.7 **Description** Shopware 6 is an open commerce platform based on Symfony Framework and Vue. When an authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the user won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. **Recommendations** For Shopware 6 versions 6.3.5.0 through 6.6.0, update to version 6.6.1.0. For Shopware 6 versions 6.5.0 through 6.5.8.7, update to version 6.5.8.8. As a temporary workaround for those unable to update, install the latest version of the Shopware Security Plugin. Restrict access to the `POST /store-api/account/logout` endpoint until the issue is resolved.