Headline
CVE-2023-22732: Shopware 6 - Security Updates
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.
Security Update 01/2023
General Information
In this security release, we have resolved vulnerabilities of the threat level “critical” and "medium". Affected are all Shopware versions including 6.4.18.0. The following issues have been fixed with this security update:
NEXT-24667 - Remote code execution via Twig template functions.
NEXT-24679 - Logging data can contain sensitive information of password reset mails.
NEXT-24677 - Administration session is not cleared after long inactivity.
NEXT-23325 - Possibility to bypass selling limits within the checkout process.
NEXT-22891 - Newsletter route does not consider double-opt-in settings.
We recommend updating to the current version 6.4.18.1. You can update to 6.4.18.1 via the auto-updater or manually via the download package.
https://www.shopware.com/en/download/#shopware-6
For older versions, corresponding security measures are also available via the central security plugin for Shopware 6.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
Was this article helpful?
Related news
### Impact The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. ### Patches We added an automatic logout into the Administration, so the user will be logged out when they are inactive. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates