CVE-2022-21652 is a vulnerability identified in the Shopware e-commerce platform, specifically affecting versions from 5.7.3 up to but not including 5.7.7. The core issue relates to insufficient session expiration (CWE-613), where user sessions are not invalidated upon a password change. This means that if an attacker or unauthorized party has access to an active session token prior to the password change, they could continue to use that session to access the affected customer account even after the password has been updated. This undermines the security expectation that changing a password should immediately revoke all existing sessions, thereby preventing continued unauthorized access. The vulnerability was addressed in Shopware version 5.7.7 by adjusting session validation logic so that any sessions created before the latest password change are invalidated and cannot be used to log in. There is no workaround for this issue in the affected versions, making upgrading to 5.7.7 or later the only effective remediation. No known exploits have been reported in the wild, but the vulnerability presents a risk especially in scenarios where session tokens might be compromised or stolen. The vulnerability impacts the confidentiality and integrity of user accounts, as unauthorized users could maintain access despite password changes, potentially leading to data theft, fraudulent transactions, or account manipulation. The vulnerability does not require user interaction beyond the password change event and can be exploited if an attacker has access to an active session token, which may be obtained through other attack vectors such as session hijacking or cross-site scripting (XSS).

For European organizations using Shopware versions between 5.7.3 and 5.7.7, this vulnerability poses a significant risk to customer account security. Since Shopware is widely used by small to medium-sized e-commerce businesses across Europe, the potential impact includes unauthorized access to customer accounts, leading to data breaches involving personal and payment information, fraudulent orders, and reputational damage. The failure to invalidate sessions upon password changes can also undermine customer trust and violate data protection regulations such as the GDPR, which mandates appropriate security measures to protect personal data. Additionally, attackers maintaining persistent access could manipulate order histories, payment details, or customer profiles, resulting in financial losses and operational disruptions. The medium severity rating reflects that while exploitation requires prior session access, the consequences of such exploitation can be substantial, especially in high-volume or sensitive e-commerce environments. Organizations may also face compliance risks and potential fines if breaches occur due to this vulnerability. Given the lack of known exploits, the threat is currently theoretical but should be proactively addressed to prevent future incidents.

The primary and most effective mitigation is to upgrade all affected Shopware instances to version 5.7.7 or later, where the session invalidation logic has been corrected. Organizations should prioritize patching in their update cycles and test the upgrade in staging environments to ensure compatibility. Beyond upgrading, organizations should implement enhanced session management controls such as reducing session lifetimes, enforcing secure cookie attributes (HttpOnly, Secure, SameSite), and monitoring for unusual session activity indicative of hijacking. Implementing multi-factor authentication (MFA) for customer accounts can reduce the risk of unauthorized access even if session tokens are compromised. Additionally, organizations should conduct regular security audits and penetration testing focused on session management and authentication flows. Logging and alerting on password changes and concurrent sessions can help detect suspicious activity. For environments where immediate upgrade is not feasible, organizations should educate customers to log out of all sessions manually after password changes and consider invalidating sessions server-side through custom development if possible. Finally, integrating Web Application Firewalls (WAFs) to detect and block session hijacking attempts can provide an additional layer of defense.