In this security release, in addition to the usual bug fixes and optimizations, we have also been able to close security vulnerabilities of the threat levels "low" to "medium" in the frontend.
Affected are the Shopware versions from 5.0.0. to 5.7.5 The following vulnerabilities, were fixed with this security update:
SW-26367 - Prevent authenticated stored XSS via SVG images
To secure your system, you can now choose between the following options:
If you are using apache as your web server, the .htaccess-file in the root directory of your Shopware installation should contain the following section:
<IfModule mod_headers.c>
<FilesMatch "\.(?i:svg)$">
Header set Content-Security-Policy "script-src 'none'"
</FilesMatch>
</IfModule>If this is not the case, please add the section manually or install / update the security plugin.
Install / update security plugin
Download the Shopware security plugin version 1.1.25 from the store or alternatively directly from the plugin manager in the backend.
Install and activate the plugin
If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.
Please check all important functionalities after installation or update, especially the ordering process.
If you are using nginx as your web server, the configuration is not done using the .htaccess we provide.
In this case, please add the following to your configuration file:
server {
# ...
location ~* ^.+\.svg$ {
add_header Content-Security-Policy "script-src 'none'";
}
}