Security Update 12/2018

Article Version

5.0.0 - 5.5.3

Table of contents

General information

Next to the usual bug fixes and optimisations, we have also been able to close multiple vulnerabilities at the „moderate“ to „heavy“ threat level.
All Shopware Versions from 5.0.0 up to 5.5.3 are affected. The following vulnerabilities are fixed with this release.

  • SW-23009, SW-23010: Authenticated remote code execution in the backend
  • SW-23011: Path traversal with live media migration enabled
  • SW-23012: Allows a Validation Bypass attack
  • SW-23008: MITM vulnerability in update mechanism for incorrectly configured server systems

You can choose between two options, to protect your system:

Solutions

We strongly recommend to update to the latest version of Shopware (5.5.4). This Version will fix these vulnerabilities. You can use the auto-update process or simply download the version over our download page.

Install / update the security plugin

If it is not possible for you to update to the latest version of shopware, you can use our Shopware Security-Plugin.

  • Download the Shopware Security Plugin in version 1.1.13 from our store or use the Plugin Manager of your Shopware backend.
  • Install and activate the plugin.

If you use this plugin already, simply update it to the latest version to secure your environment. our environment. If you experience any problems, you can disable individual fixes via the plugin settings.

Please check all important functionalities, in particular the ordering process, after installation or update