PT-2024-19397 · Shopware · Shopware
Pweyck
·
Published
2024-01-16
·
Updated
2024-01-24
·
CVE-2024-22407
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Shopware versions prior to 6.5.7.4
Description
The state handler for orders in the Shopware CMS fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state.
Recommendations
Update to Shopware 6.5.7.4
For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
As a temporary workaround, consider restricting access to order state modification actions for users lacking 'write' permissions until a patch is applied.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shopware