CVE-2022-24744 is a medium-severity vulnerability affecting the Shopware platform, an open commerce system built on the Symfony PHP framework and Vue.js. The vulnerability is classified under CWE-613, which pertains to insufficient session expiration. Specifically, in affected versions of Shopware prior to 6.4.8.1, user sessions are not properly invalidated or logged out when a password reset is performed via the password recovery mechanism. This means that if an attacker or unauthorized party gains access to an active session token or cookie, they could potentially maintain access to the user account even after the legitimate user has reset their password. The issue compromises session management best practices by failing to terminate all active sessions upon a critical security event such as a password reset. The vendor has addressed this vulnerability in version 6.4.8.1, and for older versions 6.1, 6.2, and 6.3, security measures are available through a plugin. No known exploits have been reported in the wild, and no CVSS score has been assigned to this vulnerability. The lack of session invalidation can lead to unauthorized access persistence, increasing the risk of account takeover and data exposure if session tokens are compromised. The vulnerability affects all Shopware platform deployments running versions earlier than 6.4.8.1 that have not applied the patch or plugin mitigation.

For European organizations using the Shopware platform, this vulnerability poses a risk of unauthorized persistent access to user accounts following password resets. This can lead to confidentiality breaches, as attackers may access sensitive customer data, order histories, and payment information. Integrity could also be impacted if attackers manipulate account details or place fraudulent orders. Availability impact is limited but could occur if attackers disrupt user sessions or perform malicious actions. The risk is particularly relevant for e-commerce businesses, including retailers and service providers, where customer trust and data protection are paramount. Given the GDPR regulations in Europe, any data breach resulting from this vulnerability could lead to regulatory penalties and reputational damage. The vulnerability's exploitation does not require user interaction beyond the password reset process, but it does require that the attacker has access to an active session token, which could be obtained through other means such as session hijacking or theft. The absence of known exploits suggests that the threat is currently theoretical but should be addressed proactively to prevent potential abuse.

European organizations should immediately upgrade Shopware installations to version 6.4.8.1 or later to ensure the vulnerability is patched. For those unable to upgrade promptly, installing the official security plugin available for versions 6.1, 6.2, and 6.3 is critical to mitigate the risk. Additionally, organizations should implement robust session management policies, including enforcing short session lifetimes and monitoring for unusual session activity. Employing multi-factor authentication (MFA) can reduce the risk of session hijacking. Regularly auditing active sessions and providing users with the ability to view and terminate active sessions can help detect and respond to unauthorized access. Network-level protections such as secure cookie flags (HttpOnly, Secure, SameSite) and TLS encryption should be enforced to protect session tokens during transmission. Finally, organizations should educate users about the importance of logging out from shared or public devices and monitor for suspicious login patterns that may indicate session misuse.