In this security release, we have resolved a vulnerability of threat level "critical" to "moderate". Affected are all Shopware versions up to and including 6.5.7.3. The following issues have been fixed with this security update:
NEXT-32886 Server-Side Request Forgery (SSRF) in Flow Builder
NEXT-32887 Time-based blind SQL-injection Shopware CMS Search API
NEXT-32889 Broken Access Control order API
NEXT-33027 Vulnerability in composer package: dompdf/dompdf
We recommend updating to the current version 6.5.7.4. You can update to 6.5.7.4 via the auto-updater or manually via the download package.
https://www.shopware.com/en/download/#shopware-6
An update of the Commercial extension to 5.7.4 is also required for the NEXT-32886 vulnerability.
For older versions, corresponding security measures are also available via the central security plugin for Shopware 6. This includes the security measure, which is included in the Commercial extension update.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
