We have released a new security version for Shopsys Framework. This release contains a remedy for a recent security vulnerability. We strongly recommend upgrading your project to this new patch version.
The vulnerability was induced by improper escaping of some attributes when rendering e-mails. In the default installation of Shopsys Framework, the vulnerability could be exploited by HTML injection. In some settings, potentially malicious content could be sent via e-mail templates and in some cases mail clients might execute this code.
To resolve this vulnerability, upgrade to the newest patch version for your Shopsys Framework. The security patch was released for all stable versions of Shopsys Framework: v7.0.1, v7.1.1 and v7.2.2.
For more information about the vulnerability and how it was resolved, please see pull request #1120 on our GitHub.
Note: if you are using beta versions of Shopsys Framework, apply changes manually and update to a newer version as soon as possible.