Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Shopware has Improper Session Handling in store-api
Vulnerability Description
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Vulnerability Type
不充分的会话过期机制
Vulnerability Title
Shopware 安全漏洞
Vulnerability Description
Shopware是德国Shopware公司的一套开源电子商务软件。 Shopware 6存在安全漏洞,该漏洞源于当向POST /store-api/account/logoutCustomerLogoutEvent发出经过身份验证的请求时,购物车将被清除,但用户不会被注销。受影响的产品和版本:Shopware 6.3.5.0至6.6.1.0之前版本,6.5.8.8之前版本。
CVSS Information
N/A
Vulnerability Type
N/A