CVE-2024-31447— Shopware has Improper Session Handling in store-api
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-31447
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Shopware has Improper Session Handling in store-api
Source: NVD (National Vulnerability Database)
Vulnerability Description
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Shopware 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Shopware是德国Shopware公司的一套开源电子商务软件。 Shopware 6存在安全漏洞,该漏洞源于当向POST /store-api/account/logoutCustomerLogoutEvent发出经过身份验证的请求时,购物车将被清除,但用户不会被注销。受影响的产品和版本:Shopware 6.3.5.0至6.6.1.0之前版本,6.5.8.8之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-31447
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-31447
请登录查看更多情报信息。
- https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-31447
IV. Related Vulnerabilities
Same product: shopware
- CVE-2026-23498
Shopware Improper Control of Generation of Code in Twig rend - CVE-2025-67648
Shopware's inproper input validation can lead to Reflected X - CVE-2025-7954
Race Condition in Shopware Voucher Submission - CVE-2025-32378
Shopware's default newsletter opt-in settings allow for mass - CVE-2025-30150
Shopware 6 allows attackers to check for registered accounts
Same vendor: shopware
- CVE-2026-32142
shopware/commercial: `/api/_info/config` route exposes infor - CVE-2026-31889
Shopware has a potential take over of app credentials - CVE-2026-31888
Shopware has user enumeration via distinct error codes on St - CVE-2026-31887
Shopware unauthenticated data extraction possible through st - CVE-2026-23498
Shopware Improper Control of Generation of Code in Twig rend
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2024-31447
No comments yet