CVE-2024-27917

Name of the Vulnerable Software and Affected Versions Shopware versions 6.5.8.0 through 6.5.8.6

Description The issue arises from the Symfony Session Handler popping the Session Cookie and assigning it to the Response. Since Shopware 6.5.8.0, 404 pages are cached to improve performance, resulting in a cached Response containing a Session Cookie when the browser accessing the 404 page has no cookies yet. This occurs when no explicit Session configuration has been done and Redis is not used for Sessions. The problem can lead to a guest browser session being cached on a 404 page, causing every missing image or direct access to a 404 page to logout the customer or clear their cart.

Recommendations For Shopware versions 6.5.8.0 through 6.5.8.6, update to Shopware version 6.5.8.7 to resolve the issue. As a temporary workaround for affected versions, consider using Redis for Sessions by configuring session.save handler = redis and session.save path = "tcp://127.0.0.1:6379" in php.ini, as this does not trigger the exploit code.