CVE-2022-24748: 
PHP vulnerability analysis and mitigation

Shopware, an open commerce platform based on the Symfony PHP Framework and Vue javascript framework, disclosed a vulnerability (CVE-2022-24748) that was discovered prior to version 6.4.8.2. The vulnerability allowed unauthorized modification of customers and creation of orders without proper App Permission due to improper API route checking (NVD, GitHub Advisory).

The vulnerability stems from improper API route checking in the platform's authentication mechanism. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) by NVD and 6.8 (MEDIUM) by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability is categorized under CWE-863 (Incorrect Authorization) by NVD and CWE-287 (Improper Authentication) by GitHub (NVD).

The vulnerability allowed attackers to modify customer information and create orders without having the proper application permissions. This could potentially lead to unauthorized access to customer data and fraudulent order creation (GitHub Advisory).

The vulnerability has been patched in version 6.4.8.2. Users are strongly advised to upgrade to this version. For older versions (6.1, 6.2, and 6.3), security measures are available via a plugin. The update can be obtained through the Auto-Updater or directly from the download overview (GitHub Advisory).