As we mentioned in the last news, VirtueMart is audited by different security companies. We are very happy that they found the persistent XSS attack before we released vm3.0.8, so the version vm3.0.8 already contains the fix.
The fix in vm2admin.js is here
In case you cannot update, just use the new vm2admin.js.
The other fixes are more complex and in different files and just prevent the problem for the future.
- /models/orders.php rev=8828
- BE/views/orders/tmpl/orders.php rev=8828
- BE/views/orders/tmpl/order.php rev=8828
Please remember that all this fixes are already in vm3.0.8. This is just the disclosure.
Meanwhile we created a new vm3.0.9, which is also suitable for productive use. But test your "add to cart" popup. Also, editing of orders could behave differently.
- New Ordering "ordering, name", which sorts for ordering if available, then for name.
- If a product had more than one category and one was not publisehd it could happen that the selected category was the unpublished one. Is fixed.
- Order item edit now uses the same function as the create/update function, which allows to use the same triggers for manipulating storing of the data.
- "Give vendors switched in shoppers their rights", means a vendor switched into a shopper can still administrate the store.
- Klarna replaced serialize against json_encode
- Added the option to add js files inline (sometimes easier with ajax)
- Add to cart can now be stopped by another js using e.stopSendtocart == true
- Added test for the AIO to prevent blank page due to installion without proper VirtueMart core