In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including 184.108.40.206. The following vulnerabilities have been fixed with this security update:
NEXT-14533 - After order payment process manipulatable
NEXT-14188 - Protect .env via .htaccess in shopware root!
NEXT-14278 - Persistent Cross-site Scripting Vulnerability
NEXT-14482 - Aggregations are not protected by ApiAware
To make use of the fixes made with NEXT-14188 & NEXT-14278 please make sure to update your server config accordingly.
The update to 220.127.116.11 or the installation of the security plugin will update the htaccess. If you want to do this by your own, copy this file: https://github.com/shopware/production/blob/6.3/.htaccess
We recommend updating to the current version 18.104.22.168. You can get the update to 22.214.171.124 regularly via the Auto-Updater or directly via the download overview.
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.