This fairly serious XSS discovered by Mattia Furlani pertained only the administration area, so most shops are not affected. Shop owners running a multi-vendor store or fearing that their employees may use this leak should update as soon as possible.
The new core has some fixes for php 7.1 - 7.2 compatibility.
Compliance to the new french financial law
At present we have also integrated some fraud protection requirements to comply with the new French law. This includes, for example, the new invoice processing system. When an invoice was changed, the old treatment renamed the originally created invoice and created a new invoice with the same invoice number. The new treatment creates a regular new invoice number while the old invoice remains listed and accessible. We also added an order item history table. The class vmtable can now automatically save a hash to any entry. For example the order entries store a hash of the important data per line, so it is now possible to check the integrity of an entry. This system is not completed yet.
- Behaviour of the table object is more consistent and reliable.
- Behaviour of payment plugins after pressing confirm in the cart and cancelling the payment is now more consistent.
- Removed w3c validation errors.
- Corrected routing for orderdone layout.
- Trigger 'plgVmAfterStoreProduct', added array key "new" to $data, so that we know if a product is new or just updated.
- Customfield date has now two extra parameters to set the initial date and year range. The initial date uses as format DateInterval, so the P0D means use the current.
- Language files updated.
- Long desired fix, dropdowns of prices in product edit work now directly.
- Enhanced handling of the orderdone layout.
- _triesValidateCoupon is now emptied after entering a valid coupon.
- Coupons are not automatically removed any longer when expired.
- Full installer now also works with multilingual setup.
The full list is available here http://forum.virtuemart.net/index.php?topic=139652.msg490664