Sometimes we used in the code JURI::getInstance()->toString(), but the entered URL is not filtered. Templaters, 3rd party developers and people who use their own layout overrides should check their code if they also use it and in case they do, replace it. Everyone who used this in his templates should replace it by vmURI::getCleanUrl(). The problematic part is in the mod_virtuemart/_currencies/tmpl/default.php. The fix for this problem provided in vm2.0.22b is preventing the worst, but is not as secure as the new version.
The other fixes are within the core. We thank Compass Security (www.csnc.ch) and Fiona Coulter (spiralscripts.co.uk) for finding the leaks. We strongly recommened everyone to update his installations ASAP. We still see people with version 2.0.10, because they are afraid to update. People fearing that their overrides may not work any longer should test the store on a backup and just verify each override if it is still necessary. If you still have problems after doing this, please join our forum http://forum.virtuemart.net/index.php?board=130.0. The big steps were between 2.0.0-2.0.12. In case of an update from a pretty old version, it might be better to start with the original vm2.0.22c layouts and reimplement the customisations.
The former german club Mambo e.V, now known als "Joomla and Beyond e.V" invites to a conference on the 13th - 14th of September in Nuremberg (Nürnberg), Germany. The Virtuemart Team will be represented by 5 core members. We invite everyone to visit our talk during the business day and/or our workshops during the community day. Yagendoo will also do a workshop about VirtueMart 2 templating. Take the opportunity to update your store with the help of professionals. Furthermore there are a lot of other presentations and talks about joomla and its extensions. 'JoomlaDays' provide users and developers a good opportunity for a direct talk and informal feedback. Be part of the Joomla/VirtueMart community, come and join http://www.joomladay.de/