Security release notes 202605.0
Edit on GitHubThis document describes the security-related issues that have been recently resolved.
For additional support with this content, contact our support. If you found a new security vulnerability, contact us at [email protected].
Information disclosure via phpinfo() method
Prerequisite
This security update requires Spryker 202604.0 or later. Ensure your project is upgraded to this version before applying the fix.
Instances of phpinfo() were identified in the codebase, which could potentially expose sensitive configuration details and environment variables to unauthorized parties. Such an instance was found to be part of the default Back Office setup.
Affected modules
spryker/setup: < 4.8.0spryker/maintenance: < 3.6.0
Fix the vulnerability
Update the spryker/setup package to version 4.8.0 or higher:
composer update spryker/setup:"^4.8.0"
composer show spryker/setup # Verify the version
Update the spryker/maintenance package to version 4.0.0 or higher:
composer update spryker/maintenance:"^4.0.0"
composer show spryker/maintenance # Verify the version
Thank you!
For submitting the form