CVE-2024-31447

Name of the Vulnerable Software and Affected Versions Shopware 6 versions 6.3.5.0 through 6.6.1.0 and prior to 6.5.8.8 can be simplified to: Shopware 6 versions 6.3.5.0 through 6.6.0 and versions 6.5.0 through 6.5.8.7

Description Shopware 6 is an open commerce platform based on Symfony Framework and Vue. When an authenticated request is made to POST /store-api/account/logout, the cart will be cleared, but the user won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Recommendations For Shopware 6 versions 6.3.5.0 through 6.6.0, update to version 6.6.1.0. For Shopware 6 versions 6.5.0 through 6.5.8.7, update to version 6.5.8.8. As a temporary workaround for those unable to update, install the latest version of the Shopware Security Plugin. Restrict access to the POST /store-api/account/logout endpoint until the issue is resolved.