Insufficient Session Expiration in Shopware - CVE-2022-21652
Published: January 5, 2022 / Updated: May 19, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote user to maintain access to an account after a password change.
The vulnerability exists due to improper session expiration in session handling when a password is changed. A remote user can continue using an existing session to maintain access to an account after a password change.