Release notes Shopware 6.6.10.7
Abstract
This patch release contains security and other bug fixes. Please make sure to update immediately or use the latest version of the Shopware Security Plugin if you cannot update right now.
System requirements
- tested on PHP 8.2 and 8.4
- tested on MySQL 8 and MariaDB 11
Improvements
(No notable improvements in this patch release)
Fixed bugs
Security bulletins
- GHSA-m895-2hj3-8cg9 Reading media entities by aggregating fields individually bypasses MediaVisibilityRestrictionSubscriber
- GHSA-27c9-vp3w-6ww8 Exposure of sensitive user information via CSV export mapping
- GHSA-3cpp-fv95-mpr5 Server-Side Request Forgery (SSRF) – order invoice
- GHSA-6wh5-mw9h-5c3w Path traversal via Plugin upload
- GHSA-r2vg-hvjm-fg38 Customer Orders can be canceled, even if refunds are disabled
Other fixed bugs
- 6912
composer require shopware/platform:6.6.10.0requires minimum-stability dev - 6960 Skip downstreams for external contributors
- 9031 Fix 6.6.0.0 ATS update test
- 9851 Missing Event to exclude Domains from Sitemap Generation
Credits
Thanks to all diligent friends for helping us make Shopware better and better with each pull request!
More resources
- Detailed diff on Github to the former version
- Changelog on GitHub for this version.
- Installation overview
- Update from a previous installation
Get in touch
Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there 😉
