Security Update 01/2023

General Information

In this security release, we have resolved vulnerabilities of the threat level "critical" and "medium". Affected are all Shopware versions including 6.4.18.0. The following issues have been fixed with this security update:
 
NEXT-24667 - Remote code execution via Twig template functions. 
NEXT-24679 - Logging data can contain sensitive information of password reset mails.
NEXT-24677 - Administration session is not cleared after long inactivity.
NEXT-23325 - Possibility to bypass selling limits within the checkout process.
NEXT-22891 - Newsletter route does not consider double-opt-in settings.

We recommend updating to the current version 6.4.18.1. You can update to 6.4.18.1 via the auto-updater or manually via the download package.
https://www.shopware.com/en/download/#shopware-6

For older versions, corresponding security measures are also available via the central security plugin for Shopware 6.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

Was this article helpful?

Version

6.1.0 - 6.4.18.0