CVE-2022-21652

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 5.7.7

Description The issue concerns the session validation mechanism in Shopware, an open-source e-commerce software platform. In affected versions, Shopware would not invalidate a user session when a password change occurs. This means sessions created before the latest password change could still be used to log in to the account. With version 5.7.7, the session validation was adjusted so that sessions created prior to the latest password change of a customer account cannot be used to log in with that account. Upon a password change, all existing sessions for a given customer account are automatically considered invalid.

Recommendations For versions prior to 5.7.7, update to version 5.7.7 to resolve the issue. For older versions, consider using the Security Plugin as a temporary measure. As a general guideline, updating to the current version 5.7.7 is recommended, which can be done via the Auto-Updater or directly via the download overview.