CVE-2024-22407 Broken Access Control order API in Shopware

2024-01-1622:29:06

CWE-284

GitHub_M

www.cve.org

shopware cms

user authorizations

payment modification

order status

shopware 6.5.7.4

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

16.0%

JSON

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking ‘write’ permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

CNA Affected

[
  {
    "vendor": "shopware",
    "product": "shopware",
    "versions": [
      {
        "version": "<  6.5.7.4",
        "status": "affected"
      }
    ]
  }
]