Security update 10/2021

General information

In this security release, in addition to the usual bug fixes and optimizations, we have also been able to close security vulnerabilities of the threat levels "low" to "medium" in the frontend.

Affected are the Shopware versions from 5.0.0. to 5.7.5 The following vulnerabilities, were fixed with this security update:

  • SW-26367 - Prevent authenticated stored XSS via SVG images

To secure your system, you can now choose between the following options:

Solutions

apache Webserver

If you are using apache as your web server, the .htaccess-file in the root directory of your Shopware installation should contain the following section:


<IfModule mod_headers.c>
    <FilesMatch "\.(?i:svg)$">
        Header set Content-Security-Policy "script-src 'none'"
    </FilesMatch>
</IfModule>

If this is not the case, please add the section manually or install / update the security plugin.

Install / update security plugin

  • Download the Shopware security plugin version 1.1.25 from the store or alternatively directly from the plugin manager in the backend.

  • Install and activate the plugin

If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.

Please check all important functionalities after installation or update, especially the ordering process.

 

nginx Webserver

If you are using nginx as your web server, the configuration is not done using the .htaccess we provide.
In this case, please add the following to your configuration file:


server {
    # ...

    location ~* ^.+\.svg$ {
        add_header Content-Security-Policy "script-src 'none'";
    }
}

Was this article helpful?