Release notes Shopware 6.7.3.1

Abstract

This patch release contains security and other bug fixes. Please make sure to update immediately or use the latest version of the Shopware Security Plugin if you cannot update right now.

System requirements

• tested on PHP 8.2 and 8.4
• tested on MySQL 8 and MariaDB 11

Improvements

(No notable improvements in this patch release)

Fixed bugs

Security bulletins

• GHSA-m895-2hj3-8cg9 Reading media entities by aggregating fields individually bypasses MediaVisibilityRestrictionSubscriber
• GHSA-27c9-vp3w-6ww8 Exposure of sensitive user information via CSV export mapping
• GHSA-3cpp-fv95-mpr5 Server-Side Request Forgery (SSRF) – order invoice
• GHSA-6wh5-mw9h-5c3w Path traversal via Plugin upload
• GHSA-r2vg-hvjm-fg38 Customer Orders can be canceled, even if refunds are disabled

Other fixed bugs

• 12884 Legacy Cookie definitions could break
• 12885 With Shopware 6.7.3, it's no longer possible to change the delivery or billing address in the checkout
• 12888 fix: api encode issue with partial entity (backport: 6.7.3.x)
• 12899 fix: address manager create form (backport: 6.7.3.x)
• 12506 CartPromotionsDataDefinition::removeCode() may fail when codes are returned as int from getAllCodes()
• 12075 fix: Admin es search for "document number" doesn't return any results
• 12363 fix: missing product rule filter
• 12472 fix: cast XML config values for Length constraint to int to prevent type errors
• 12434 Customer address gets stuck on non-default address when changed during checkout
• 12979 compatibility with OpenSearch 3.x

Credits

Thanks to all diligent friends for helping us make Shopware better and better with each pull request!

More resources

• Detailed diff on Github to the former version
• Changelog on GitHub for this version.
• Installation overview
• Update from a previous installation

Get in touch

Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there 😉