In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including 6.3.5.2. The following vulnerabilities have been fixed with this security update:
NEXT-14533 - After order payment process manipulatable
NEXT-14188 - Protect .env via .htaccess in shopware root!
NEXT-14278 - Persistent Cross-site Scripting Vulnerability
NEXT-14482 - Aggregations are not protected by ApiAware
To make use of the fixes made with NEXT-14188 & NEXT-14278 please make sure to update your server config accordingly.
Nginx:
https://developer.shopware.com/docs/resources/references/config-reference/server/nginx
Apache:
The update to 6.3.5.3 or the installation of the security plugin will update the htaccess. If you want to do this by your own, copy this file: https://github.com/shopware/production/blob/6.3/.htaccess
We recommend updating to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
