CVE-2022-24745: 
PHP vulnerability analysis and mitigation

Shopware, an open commerce platform based on the Symfony PHP Framework and Vue javascript framework, was found to have a vulnerability where guest sessions were shared between customers when HTTP cache was enabled. This vulnerability, identified as CVE-2022-24745, was discovered and disclosed in March 2022. The issue affected versions up to and including 6.4.8.0, potentially impacting all Shopware installations using HTTP cache, though setups with Varnish were not affected (GitHub Advisory).

The vulnerability stems from a session handling issue where guest sessions were not properly isolated when HTTP cache was enabled. This could lead to inconsistent experiences for guest users, as sessions were shared between different customers. The vulnerability received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability could result in inconsistent experiences for guest users due to shared sessions. This could potentially lead to information leakage between different guest users and compromise the integrity of individual shopping sessions (GitHub Advisory).

The vulnerability was patched in version 6.4.8.2. For users unable to upgrade, two workarounds are available: 1) Disable the HTTP Cache completely, or 2) For older versions (6.1, 6.2, and 6.3), security measures are available via a plugin. The recommended solution is to update to the latest Shopware version (GitHub Advisory).