Release notes Shopware 6.5.7.4
Abstract
Shopware patch v6.5.7.4 fixes the following security issues:
- CVE-2024-22406 - Blind SQL-injection in DAL aggregations (CVSS = 9.3)
- CVE-2024-22408 - Server-Side Request Forgery (SSRF) in Flow Builder (CVSS = 7.6)
- CVE-2024-22407 - Broken Access Control order API (CVSS = 4.9)
- DomPDF security issue in Commercial plugin < 2.0.3 - Resource exhaustion caused by infinite recursion when validating SVG images (CVSS = 5.3)
The Flow Builder Issue appears only in Commercial Plugin or in prior versions of the SwagFlowBuilder (Flow Builder Professional) plugin.
Security page:https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2024
Please update immediately to the latest Shopware version or install the Security Plugin if you cannot update swiftly.
System requirements
- tested on PHP 8.1 and 8.2
- tested on MySQL 8.0.33, MariaDB 10.4. 10.5, 10.11 & 11.0
Fixed bugs
- NEXT-32388 | Update dompdf/dompdf to 2.0.4
- NEXT-32201 | Add 'innovation' as package title
- NEXT-32889 | Fix privileges for state machine
More resources
- Detailed diff on Github to the former version
- Changelog on GitHub for this version.
- Installation overview
- Update from a previous installation
Get in touch
Discuss about decisions, bugs you might stumble upon, etc in our community slack. See you there 😉
