In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including 184.108.40.206. The following vulnerabilities have been fixed with this security update:
NEXT-14533 - After order payment process manipulatable
NEXT-14188 - Protect .env via .htaccess in shopware root!
NEXT-14278 - Persistent Cross-site Scripting Vulnerability
NEXT-14482 - Aggregations are not protected by ApiAware
To make use of the fixes made with NEXT-14188 & NEXT-14278 please make sure to update your server config accordingly.