CVE-2022-36101 is a vulnerability identified in Shopware, an open-source e-commerce platform widely used for managing online stores. The issue affects Shopware versions prior to 5.7.15. Specifically, the vulnerability arises from the backend administration's customer detail view request, which inadvertently exposes sensitive information such as hashed passwords and session IDs. These data elements should be protected and not transmitted or displayed in a manner accessible to unauthorized users. The exposure occurs because these sensitive fields were not properly unset or filtered out in the affected versions, leading to potential unauthorized disclosure. This vulnerability falls under CWE-200, which relates to the exposure of sensitive information to unauthorized actors. The vendor addressed the issue in version 5.7.15 by explicitly unsetting these sensitive fields in the customer detail response. There are no known workarounds, and users are advised to update their Shopware installations either via the Auto-Updater or by downloading the patched version directly from the vendor's site. No known exploits have been reported in the wild as of the published date, but the nature of the exposed data (hashed passwords and session IDs) poses a significant risk if accessed by attackers, potentially enabling further compromise such as session hijacking or offline password cracking attempts.

For European organizations using Shopware for their e-commerce operations, this vulnerability can lead to unauthorized disclosure of sensitive customer and administrative data. Exposure of hashed passwords, even if salted, can allow attackers to perform offline brute-force or dictionary attacks to recover plaintext credentials, potentially leading to account takeover. Exposure of session IDs can facilitate session hijacking, allowing attackers to impersonate legitimate users or administrators, leading to unauthorized access to backend systems, manipulation of store data, or theft of customer information. This can result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR, which mandates strict protection of personal data. The impact is heightened for organizations with high transaction volumes or those handling sensitive customer data. Additionally, unauthorized access to backend administration could allow attackers to modify product listings, pricing, or inject malicious code, further amplifying the risk. Given the lack of known exploits in the wild, the immediate threat may be moderate, but the potential for exploitation remains significant if attackers discover or develop methods to leverage this vulnerability.

The primary and most effective mitigation is to update Shopware installations to version 5.7.15 or later, where the issue has been resolved by unsetting sensitive fields in the customer detail view. Organizations should prioritize patching in their update cycles and verify the version in use. Since no workarounds exist, temporary measures such as restricting backend access through network segmentation, VPNs, or IP whitelisting can reduce exposure risk. Implementing strict access controls and multi-factor authentication (MFA) for backend administration accounts can limit the impact of potential session hijacking. Monitoring backend logs for unusual access patterns or repeated failed login attempts can help detect exploitation attempts early. Additionally, organizations should review session management policies to ensure session IDs are rotated frequently and invalidated upon logout. Regularly auditing and rotating customer and administrative credentials can also mitigate risks from exposed hashed passwords. Finally, educating staff about the importance of timely patching and secure credential management is essential.