Following the security update that was published on 23rd January, we are now providing you with an updated version that offers improved protection using only a few minor adjustments in Shopware. Under certain circumstances it is still possible to compromise Shopware and the HotFix plugin that was previously provided. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. To prevent this scenario, we created an updated version of Shopware (5.2.16) and the HotFix plugin (1.1.0). To ensure security, we strongly recommend that you install the latest version of Shopware (5.2.16) or the most recent version of the HotFix plugin. Please check whether you use themes or plugins that execute or overwrite the following template code. In this case, we recommend that you also make the following template adjustments in the derived template file.
Affected file: emotion.tpl
Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl
Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl
The complete line beginning with: {eval var=$sSupport.sFields[$sKey]... should be exchanged with the following:
{$sSupport.sFields[$sKey]|replace:'{literal}':''|replace:'{/literal}':''|replace:'%*%':"{s name='RequiredField' namespace='frontend/register/index'}{/s}"}
(These adjustments have already been implemented in Shopware 5.2.15)
All theme and plugin developers are encouraged to encouraged to update their existing themes/plugins using the abovementioned code.
Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware. This is a critical security vulnerability that could affect the entire system. All Shopware versions including Shopware 5.2.14 are affected. It is imperative that security updates be performed for every Shopware shop. Our current software version 5.2.15 already contains the required security update. You can upgrade to the new version 5.2.15 using the auto-update function in your backend or by downloading the release from our download page.
If you are unable to upgrade your system to version 5.2.15 (recommended), you have another option for securing your system:
Patch plugin