Security Update 01/2024

General Information

In this security release, we have resolved a vulnerability of threat level "critical" to "moderate". Affected are all Shopware versions up to and including The following issues have been fixed with this security update:

NEXT-32886 Server-Side Request Forgery (SSRF) in Flow Builder

NEXT-32887 Time-based blind SQL-injection Shopware CMS Search API

NEXT-32889 Broken Access Control order API

NEXT-33027 Vulnerability in composer package: dompdf/dompdf

We recommend updating to the current version You can update to via the auto-updater or manually via the download package.

An update of the Commercial extension to 5.7.4 is also required for the NEXT-32886 vulnerability.

For older versions, corresponding security measures are also available via the central security plugin for Shopware 6. This includes the security measure, which is included in the Commercial extension update.

Was this article helpful?


6.1.0 -