spryker · lenadoc · Oct 9, 2023 · Oct 4, 2023 · Oct 4, 2023 · Oct 9, 2023
diff --git a/_data/sidebars/scos_user_sidebar.yml b/_data/sidebars/scos_user_sidebar.yml
@@ -12,13 +12,15 @@ entries:
       - title: Release notes
         url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes.html
         nested:
+        - title: Security elease notes 202309.0
+          url: /docs/scos/user/intro-to-spryker/releases/release-notes/security-release-notes-202309.0.html
         - title: Release notes 202307.0
           url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202307.0/release-notes-202307.0.html
           nested:
-          - title: Security release notes 202307.0
-            url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202307.0/security-release-notes-202307.0.html
-        - title: Release notes 202306.0
-          url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.html
+        - title: Security release notes 202307.0
+          url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202307.0/security-release-notes-202307.0.html
+        - title: Security release notes 202306.0
+          url: /docs/scos/user/intro-to-spryker/releases/release-notes/security-release-notes-202306.0.html
         - title: Release notes 202304.0
           nested:
           - title: Security release notes 202304.0

diff --git a/...2306.0/security-release-notes-202306.0.md → ...-notes/security-release-notes-202306.0.md b/...2306.0/security-release-notes-202306.0.md → ...-notes/security-release-notes-202306.0.md
@@ -3,6 +3,8 @@ title: Security release notes 202306.0
 description: Security release notes for the Spryker Product release 202306.0
 last_updated: Jul 11, 2023
 template: concept-topic-template
+redirect_from:
+    - /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.html
 ---
 
 The following information pertains to security-related issues that have been recently resolved. All issues are listed by description and affected modules.
@@ -44,7 +46,7 @@ composer show spryker/product-management # Verify the version
 
 ## Cross-company role manipulation 
 
-Due to missing access validation controls on the backend, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. 
+Due to missing access validation controls on the backend, an administrator user of a company was able to create and update roles for other companies. This was possible due to the possibility to manipulate the company ID parameter included in the HTTP requests of the role creation functionality. 
 
 ### Affected modules
 
@@ -56,9 +58,9 @@ Access validation controls have been implemented to prevent administrators from
 
 ### How to get the fix
 
-The update requires PHP 8 to be installed. If you are using PHP 7, see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html).
+The update requires PHP 8 to be installed. If you are using PHP 7, see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html) for details on how to migrate to PHP 8.0.
 
-To implement a fix for this vulnerability, upgrade the company page module to version 2.22.0:
+To implement a fix for this vulnerability, upgrade the `company-page` module to version 2.22.0:
 
 ```bash
 composer require spryker-shop/company-page:"~2.22.0"
@@ -79,7 +81,7 @@ Additional validation controls have been implemented to prevent an attacker from
 
 ### How to get the fix
 
-To implement a fix for this vulnerability, update the Kernel module:
+To implement a fix for this vulnerability, update the `kernel` module:
 
 * If your version of `spryker/kernel` is 3.72.0, update to version 3.72.1:
 
@@ -109,9 +111,9 @@ composer require spryker/kernel:"~3.68.1"
 composer show spryker/kernel # Verify the version
 ```
 
-## Brute-force Attacks in the Storefront and Back Office
+## Brute-force attacks on the Storefront and in the Back Office
 
-The Storefront, Back Office, and Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination is identified.
+The Storefront, the Back Office, and the Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination was identified.
 
 ### Affected modules
 
@@ -193,7 +195,7 @@ $config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCKING_NUMBER_OF_A
 9. Add translations to `data/import/common/common/glossary.csv`:
 
 ```csv
-security_blocker_backoffice_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US
+security_blocker_backoffice_gui.error.account_blocked,"Too many log-in attempts from your address. Please wait %minutes% minutes before trying again.",en_US
 security_blocker_backoffice_gui.error.account_blocked,"Warten Sie bitte %minutes% Minuten, bevor Sie es erneut versuchen.",de_DE
 ```
 
@@ -386,7 +388,7 @@ Input validation controls have been implemented on the server side to validate v
 
 ### How to get the fix
 
-To implement a fix for this vulnerability, update the ShopUi, CustomerPage, CompanyPage, Customer, CompanyUnitAddressGui, and MerchantProfileGui modules:
+To implement a fix for this vulnerability, update the `shop-ui`, `customer-page`, `company-page`, `customer`, `company-unit-address-gui`, and `merchant-profile-gui` modules:
 
 1. Upgrade the `spryker-shop/shop-ui` module to at least version 1.70.0:
 
@@ -489,7 +491,7 @@ The affected library has been upgraded.
 
 ### How to get the fix
 
-To implement a fix for this vulnerability, update the Guzzle, MessageBrokerAws, SecretsManagerAws, and  OauthAuth0 modules:
+To implement a fix for this vulnerability, update the `guzzle`, `message-broker-aws`, `secrets-manager-aws`, and  `oauth-auth0` modules:
 
 1. Upgrade the `spryker/guzzle` module to version 2.4.1:
 
@@ -545,7 +547,7 @@ The following security-related HTTP headers can be implemented:
 
 To implement a fix for this vulnerability: 
 
-1. Update the event-dispatcher, glue-backend-api-application, glue-storefront-api-application, HTTP and merchant-portal-application modules:
+1. Update the `event-dispatcher`, `glue-backend-api-application`, `glue-storefront-api-application`, `HTTP`, and `merchant-portal-application` modules:
 
 ```bash
 composer update spryker/event-dispatcher spryker/glue-backend-api-application spryker/glue-storefront-api-application spryker/http spryker/merchant-portal-application

diff --git a/...user/intro-to-spryker/releases/release-notes/security-release-notes-202309.0.md b/...user/intro-to-spryker/releases/release-notes/security-release-notes-202309.0.md
@@ -0,0 +1,193 @@
+---
+title: Security release notes 202309.0
+description: Security release notes for 202309.0
+last_updated: Oct 4, 2023
+template: concept-topic-template
+---
+
+The following information pertains to security-related issues that have been recently resolved. All issues are listed by description and affected modules.
+
+If you need any additional support with this content, [contact our support](https://support.spryker.com/). If you found a new security vulnerability, inform us through [security@spryker.com](mailto:security@spryker.com).
+
+## Insecure file upload functionality
+
+The file upload functionality lacked robust validation controls, so it was possible to upload files of potentially malicious type or content.
+
+### Affected modules
+
+`spryker/price-product-schedule-gui`: 1.0.0 - 2.4.0
+`spryker/file-manager-gui`: 1.0.0 - 2.4.0
+`spryker/product-list-gui`: 1.0.0 - 2.3.0
+
+### Introduced changes
+
+Proper validation controls have been implemented for the files uploaded via the upload functionality.
+
+### How to get the fix
+
+To implement a fix for this vulnerability: 
+
+1. Upgrade the `spryker/file-manager` module version to 2.3.0:
+
+```bash
+composer require spryker/file-manager:"~2.3.0"
+composer show spryker/file-manager # Verify the version 
+```
+
+2. Upgrade the `spryker/validator` module version to 1.2.0:
+
+```bash
+composer require spryker/validator:"~1.2.0"
+composer show spryker/validator # Verify the version
+```
+
+3. Upgrade the `spryker/file-manager-gui` module version to 2.5.0:
+
+```bash
+composer require spryker/file-manager-gui:"~2.5.0"
+composer show spryker/file-manager-gui # Verify the version
+```
+
+4. Upgrade the `spryker/file-manager-data-import` module version to 2.1.0:
+
+```bash
+composer require spryker/file-manager-data-import:"~2.1.0"
+composer show spryker/file-manager-data-import # Verify the version 
+```
+
+5. Upgrade the `spryker/price-product-schedule-gui` module version to 2.6.0:
+
+```bash
+composer require spryker/price-product-schedule-gui:"~2.6.0" --with-dependencies
+composer show spryker/price-product-schedule-gui # Verify the version
+```
+
+6. Upgrade the `spryker/product-list-gui` module version to 2.4.0:
+
+```bash
+composer require spryker/product-list-gui:"~2.4.0"
+composer show spryker/product-list-gui # Verify the version
+```
+
+7. Adjust the `data/import/common/common/mime_type.csv` import file: include available extensions for mime types:
+
+```bash
+name,is_allowed,extensions
+text/csv,1,"csv,txt"
+```
+
+8. Import MIME types:
+
+```bash
+console data:import mime-type.
+```
+
+9. Adjust the config `src/Pyz/Zed/FileManagerGui/FileManagerGuiConfig.php`:
+
+```bash
+<?php
+
+/**
+ * This file is part of the Spryker Suite.
+ * For full license information, please view the LICENSE file that was distributed with this source code.
+ */
+
+namespace Pyz\Zed\FileManagerGui;
+
+use Spryker\Zed\FileManagerGui\FileManagerGuiConfig as SprykerFileManagerGuiConfig;
+
+class FileManagerGuiConfig extends SprykerFileManagerGuiConfig
+{
+    /**
+     * @var bool
+     */
+    protected const IS_FILE_EXTENSION_VALIDATION_ENABLED = true;
+}
+```
+
+10. Adjust the config `src/Pyz/Zed/PriceProductScheduleGui/PriceProductScheduleGuiConfig.php`:
+
+```bash
+<?php
+
+/**
+ * This file is part of the Spryker Suite.
+ * For full license information, please view the LICENSE file that was distributed with this source code.
+ */
+
+namespace Pyz\Zed\PriceProductScheduleGui;
+
+use Spryker\Zed\PriceProductScheduleGui\PriceProductScheduleGuiConfig as SprykerPriceProductScheduleGuiConfig;
+
+class PriceProductScheduleGuiConfig extends SprykerPriceProductScheduleGuiConfig
+{
+    /**
+     * @var bool
+     */
+    protected const IS_FILE_EXTENSION_VALIDATION_ENABLED = true;
+}
+```
+
+11. Adjust the config `src/Pyz/Zed/ProductListGui/ProductListGuiConfig.php`:
+
+```bash
+<?php
+
+/**
+ * This file is part of the Spryker Suite.
+ * For full license information, please view the LICENSE file that was distributed with this source code.
+ */
+
+namespace Pyz\Zed\ProductListGui;
+
+use Spryker\Zed\ProductListGui\ProductListGuiConfig as SprykerProductListGuiConfig;
+
+class ProductListGuiConfig extends SprykerProductListGuiConfig
+{
+    /**
+     * @var bool
+     */
+    protected const IS_FILE_EXTENSION_VALIDATION_ENABLED = true;
+}
+```
+
+## Credential stuffing attack affects the Agent and Customer portals
+
+The login portal was vulnerable to credential stuffing—an attack in which an attacker submits a large number of username and password pairs ("credentials") into the login form. This is done with the intention of fraudulently gaining access to user accounts.
+
+### Affected modules
+
+`spryker-shop/security-blocker-page`: 1.0.0 - 1.0.1
+
+### Introduced changes
+
+Possibility to limit the number of login attempts performed from a single IP address. 
+
+### How to get the fix
+
+To implement a fix for this vulnerability:
+
+1. Update the `spryker-shop/security-blocker-page` module version to 1.1.0:
+
+```bash
+composer require spryker-shop/security-blocker-page:"~1.1.0"
+composer show spryker-shop/security-blocker-page # Verify the version
+```
+
+2. Adjust `configurationsrc/Pyz/Yves/SecurityBlockerPage/SecurityBlockerPageConfig.php`:
+
+```bash
+<?php
+
+namespace Pyz\Yves\SecurityBlockerPage;
+
+use SprykerShop\Yves\SecurityBlockerPage\SecurityBlockerPageConfig as SprykerSecurityBlockerPageConfig;
+
+class SecurityBlockerPageConfig extends SprykerSecurityBlockerPageConfig
+{
+    /**
+     * @var bool
+     */
+    protected const USE_EMAIL_CONTEXT_FOR_LOGIN_SECURITY_BLOCKER = false;
+}
+```