VirtueMart 3.2.6 has been released to address a minor XSS vulnerability present in previous versions as well as improve the infrastructure. It occurred when the features feeds and search were used together. It happened only for feed enabled, so administrators can close the leak by disabling the feed functions.
The vulnerability has been addressed by using getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value.
VirtueMart 3.2.6 Improvements
- Important patch to prevent memory leak when switching languages.
- usermodel, extra check if the already loaded user has the right id.
- Renamed order_done layout to orderdone to be able to create a menu item.
- New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
- Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
- Shipment plugin shows now also multiple countries.
- vmJsApi, fix for correct language of the datepicker.
- mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
- Vendor model getVendorAddressFields does not work with internal id anylonger.
- BE category list keeps selected category.
- Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
- Language dependent caching.
- install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
- More security for function getMyOrderDetails.
- Enhanced search plugin.
- Removed double // in function displayLogos in vmpsplugin.php. When the shipment/payment logo dissapeared in checkout, please read http://forum.virtuemart.net/index.php?topic=138927.0
- Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
- Fixed frontend manager link permission in user accountmaintenance.
View full list of changes here
Thanks for reading!