OXID eShop 6.5.5

Release date: 13-05-2025

To close two security vulnerabilities, install OXID eShop 6.5.5.

• Smarty-based rendering vulnerability

  If an error occurs while rendering an HTML template, the content that has already been generated is not discarded but output unfiltered. This can expose buffered data – such as a password reset link – in the frontend without authorization.

  For more information, see the Security Bulletin 2025-001.

• Composer vulnerability

  For security reasons, OXID eShop 6.5.5 requires Composer version 2.7.7.

  For more information, see

  • Composer Version 2.7.7

  • CVE-2024-35241

  • CVE-2024-35242

Improvements and adjustments

For more information about changes in the compilation, see https://github.com/OXID-eSales/oxideshop_metapackage_ce/compare/v6.5.4…v6.5.5.

Updated components

We have updated the following components and modules:

• OXID eShop CE (update from 6.14.2 to 6.14.4): Changelog 6.14.4

• Visual CMS 3.7.0 (Update from 3.6.1 to 3.7.0): Changelog 3.7.0

• Unzer Payment for OXID 1.2.1 (Update from 1.1.1 to 1.2.1): Changelog 1.2.1

Components of the compilation

The compilation contains the following components:

• OXID eShop CE 6.14.4: Changelog 6.14.4

• OXID eShop composer plugin 5.2.2: Changelog 5.2.2

• Theme “Flow” 3.8.1: Changelog 3.8.1

• Theme “Wave” 1.8.0: Changelog 1.8.0

• GDPR Opt-In 2.3.3: Changelog 2.3.3

• Klarna 5.5.3: Changelog 5.5.3

• OXID Cookie Management powered by usercentrics 1.2.1: Changelog 1.2.1

• PAYONE 1.9.0: Changelog 1.9.0

• PayPal 6.5.0: Changelog 6.5.0

• WYSIWYG Editor + Mediathek 2.4.2: Changelog 2.4.2

• Makaira 1.4.5: Changelog 1.4.5

• Unzer Payment for OXID 1.2.1 (EE): Changelog 1.2.1

• Visual CMS 3.7.0 (PE/EE): Changelog 3.7.0

Installation

To install or upgrade, follow the instructions in the Installation section:

New installation
Installing a minor update
Installing a patch update