Skip to main content

Improper Access Control

CVE-2024-22407

Severity Medium
Score 6.5/10

Summary

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update. For older versions corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. This issue affects versions prior to 6.5.7.4.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-284 - Improper Access Control

Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.

References

Advisory Timeline

  • Published