The vulnerability has been addressed by using getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value.
VirtueMart 3.2.6 Improvements
- Important patch to prevent memory leak when switching languages.
- usermodel, extra check if the already loaded user has the right id.
- Renamed order_done layout to orderdone to be able to create a menu item.
- New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
- Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
- Shipment plugin shows now also multiple countries.
- vmJsApi, fix for correct language of the datepicker.
- mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
- Vendor model getVendorAddressFields does not work with internal id anylonger.
- BE category list keeps selected category.
- Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
- Language dependent caching.
- install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
- More security for function getMyOrderDetails.
- Enhanced search plugin.
- Removed double // in function displayLogos in vmpsplugin.php. When the shipment/payment logo dissapeared in checkout, please read http://forum.virtuemart.net/index.php?topic=138927.0
- Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
- Fixed frontend manager link permission in user accountmaintenance.
View full list of changes here
Thanks for reading!