CVE-2024-22407

low-risk
Published 2024-01-16

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Shopware

References (2)

Vendor Advisory https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf
Vendor Advisory https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal