Impact
In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations
for actions that modify the payment, delivery, and/or order status. Due to this inadequate
implementation, users lacking 'write' permissions for orders are still able to change the order
state.
Patches
Update to Shopware 6.5.7.4
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Impact
In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations
for actions that modify the payment, delivery, and/or order status. Due to this inadequate
implementation, users lacking 'write' permissions for orders are still able to change the order
state.
Patches
Update to Shopware 6.5.7.4
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.