Insufficient Session Expiration in Shopware - CVE-2022-24744
Published: March 9, 2022 / Updated: May 20, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote user to retain access to an existing session after a password reset.
The vulnerability exists due to insufficient session expiration in the password recovery session handling when resetting a password via password recovery. A remote user can continue using an existing session to retain access to an existing session after a password reset.