Headline
CVE-2022-31057: Shopware 5 - Security Updates
Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue.
Next to the usual bug fixes and optimisations, we have also been able to close vulnerabilities at the „moderate“ threat level.
Affected are the Shopware versions from 5.0.0. to 5.7.11
The following vulnerabilities, were fixed with this security update:
- SW-26748: Persistent XSS (since 5.0.0 CVE-2022-31057)
Solutions
Update the Shopware installation (Recommended)
We recommend updating to the current version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview.
If you can’t update your Shopware installation (recommended), you can also secure it using a plugin:
Download the Shopware security plugin from the store or alternatively directly from the plugin manager in the backend.
Install and activate the plugin
If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.
Please check all important functionalities after installation or update, especially the ordering process.
Was this article helpful?
Related news
### Impact Authenticated Stored XSS in Administration ### Patches We recommend updating to version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/de/changelog-sw5/#5-7-12 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022