In this security release, we have been able to close security gaps of the threat level "medium" and "critical". All listed issues were discovered in an internal penetration test. Affected are the Shopware versions from 6.1.0 up to and including 6.4.3.0. The following vulnerability has been fixed with this security update:
NEXT-15601: Manipulation of product reviews via API.
NEXT-15673: Authenticated server-side request forgery in file upload via URL.
NEXT-15677: Cross-Site Scripting via SVG media files.
NEXT-15675: Insecure direct object reference of log files of the Import/Export feature.
NEXT-15669: Command injection in mail agent settings.
We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
For older versions of 6.3 and lower, corresponding security measures are also available via a plugin.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659