Release notes Shopware 6.5.8.13

Abstract

This patch release is a security release, additionally containing nine regular bug fixes. Please update as soon as possible!

System requirements

• tested on PHP 8.1, 8.2 and 8.3
• tested on MySQL 8.0.33, MariaDB 10.4. 10.5, 10.11 & 11.0

Security bulletins

• CVE-2024-42357 | Blind SQL-injection in DAL aggregations
• CVE-2024-42356 | Server Side Template Injection in Twig using Context functions
• CVE-2024-42355 | Server Side Template Injection in Twig using deprecation silence tag
• CVE-2024-42354 | Improper Access Control with ManyToMany associations in store-api

Fixed bugs

• NEXT-36445 | when creating a new customer in admin, salutation of the shipping address is saved incorrectly (8 votes)
• NEXT-34301 | Flow send-email-action uses wrong adress (6 votes)
• NEXT-36924 | StoreApiSeoResolver and auth_required=false lead to TypeError (6 votes)
• NEXT-37348 | change shipping address in order details doesnt work (3 votes)
• NEXT-37525 | Tax provider processor does not allow empty tax provider results (0 votes)
• NEXT-34410 | [Github] fix: Allow Twig array filters to accept null (0 votes)
• NEXT-35343 | The selected order language is not saved for a manually created orders (0 votes)
• NEXT-37034 | Automatisch hinzugefügte Rabatte nicht abwählbar (0 votes)
• NEXT-37175 | Assets for bundles which use bundle suffix can not be loaded (0 votes)

Credits

Thanks to all diligent friends for helping us make Shopware better and better with each pull request!

• Max
• Marcel Romeike

More resources

• Detailed diff on Github to the former version
• Changelog on GitHub for this version.
• Installation overview
• Update from a previous installation

Get in touch

Discuss about decisions, bugs you might stumble upon, etc in our community slack. See you there 😉