CVE-2024-22407: Improper Access Control

January 17, 2024

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking ‘write’ permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

References

github.com/advisories/GHSA-3867-jc5c-66qf
github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be
github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a
github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf
nvd.nist.gov/vuln/detail/CVE-2024-22407

Code Behaviors & Features

Detect and mitigate CVE-2024-22407 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →