CVE-2024-31447: Shopware Improper Session Handling in store-api account logout
When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won’t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.
References
- github.com/advisories/GHSA-5297-wrrp-rcj7
- github.com/shopware/shopware
- github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77
- github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3
- github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7
- nvd.nist.gov/vuln/detail/CVE-2024-31447
Code Behaviors & Features
Detect and mitigate CVE-2024-31447 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →