In this security release, we have been able to close security gaps of the threat level "medium". Affected are the Shopware versions from 5.0.0 up to and including 5.7.6. The following vulnerability has been fixed with this security update:
SW-26435: Arbitrary redirect while using certain URLs (5.0.0 - 5.7.6)
SW-26448: Automatically invalidate sessions upon password change (5.7.3 - 5.7.6)
We recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.
This release reintroduces the automatic logout on password change. This function was not available in versions v5.7.3 - v5.7.6.
All customers with existing sessions will need to log in again after the update.
For older versions, corresponding security measures are also available via a plugin.