Security Release VirtueMart 3.0.12, plus new goal, new docs

Written by Max Milbers on .

More Security

The company found a new issue, a possible XSS. It misuses the array keys in the URL. Most servers prevent such an URL by default, but nevertheless we've added another protection. We also found and fixed some smaller bugs and glitches in advanced functions and last but not least we added missing backward compatibility for some cases. This release follows 3 release candidates with more than 2000 downloads altogether.

New Goal

Sticking to the Joomla API has emerged as an unlucky decision for us. The future plan is to write more for our own framework VMF, which will give us the freedom to also use other systems than Joomla. The idea is to write a small framework, so that extensions written for VirtueMart should also work on different platforms than Joomla. In other words, instead of developing a standalone VirtueMart, we will try to write an easily bridgeable VirtueMart. We already saw a VirtueMart running on Drupal, so it can't be too hard. But first we want to look into Wordpress. Of course we will need test users and suggestions from developers who are familiar with Wordpress and VirtueMart. So please join our forum if you have some experience with these. We also think about using the Joomla platform by the team of Johan Janssens for our next full installer.

New Docs

Due to our membership system we did find some time to update our manual. We added a lot of pages, which explain general VirtueMart concepts at - It's worthwhile to read them. Even VirtueMart veterans already found some new tricks in it!

Some New Features/Fixes:

  • different thumbnail sizes are possible now (actually a fix, but no one knew it anyway, for templates please read here
  • cart should keep address data of the user, if an error happens like "email already taken"
  • use captcha only for guests
  • Added "None" option for some order status lists.
  • media handling per vendor
  • vmUploader checks uploaded files by MIME and may cancell the upload, controlled by ACL
  • vRequest is now also filtering the array keys (recursive)
  • enhanced synchronise Media (no 10k limit anylonger)
  • moved creation of virtuemart_userinfos and virtuemart_order_userinfos to install_essential_data.sql to prevent that changed fields are reverted updating vm
  • added hidden config updEngine to prevent changing of the table engine
  • added main controller missing for joomla3 to the AIO

The full bug fix list is available here this time:

We also updated VirtueMart 2.6. The new version got the security fixes, enhanced payment plugins and uses now mainly the vm3 table layout. It increases noticeable the performance


Please read here


#8 Athan 2016-01-30 12:44

I've just updated to VM 3.0.12 and when I'm trying to 'Save & Close' when in Configuration tabs, redirects me to a blank page with those written below,which I've just took care of it also, But If I just 'Save' everything is fine!!!

Any suggestions?
Thank you in advance!

Critical Security Leak in all Joomla Versions, please update immediatly
Point of Sale for VirtueMart
Security Release VirtueMart 3.0.12, plus new goal, new docs
Release of 3.0.10
Summer promotion for Amazon Payments
Report to administrator
#7 doruk 2015-12-19 16:25

VM 3.0.12 does not save Product Description changes. Please help

Thank you


Please look in forum there are several threads around this topic, most are solved.
If it does not help please consider to buy extra support:
Report to administrator
#6 Hardik_Das 2015-11-18 11:16
Virtuemart admin site blank when upload any product images or category images, this problem start after update VM 3.0.10 to 3.0.12

Edit by Mod: Solved, please read here
Report to administrator
#5 stasonus 2015-11-18 09:51
When ordering, I receive an error
Error message data:
Call to undefined method VmVendorPDF::co nvertHTMLColorT oDec() in file: /home/newvykro/ w/components/co m_virtuemart/he lpers/vmpdf.php line: 129 timestamp: 2015-11-18T09:06:57+00:00

Edit by Mod: sounds like you updated vom vm2, please update your tcpdf
Report to administrator
#4 mignotte 2015-11-12 09:37

When I move from VM 3.0.10 to 3.0.12, no problem with the componant's upload but the AIO generate the alert : Subquery returns more than 1 row SQL=SELECT, m.title, … … wich can be overcome by changing bd's lines extension and menu but Joomla continue to ask for an upload of VM 3.0.12.
For info … Regards
Report to administrator
#3 raphael222 2015-11-11 20:04
the component update is making trouble with thumbnail images ( no images are displayed and the link is broke)
please fix it :oops: :oops: :oops: :oops:

Answer by Mod: The reason is that your template does not use the vm function to display thumbnails. Please adjust your overrides
Report to administrator
#2 Thanoss 2015-11-11 18:48
Which servers are not accepting array keys in the url?

Answer by Mod: We were only able to reproduce this with nginx servers. Any apache directly blocked the request.
Report to administrator
#1 Claes N 2015-11-11 13:19
Plese add a section for this in the forums. So that there is a dedicated place to help and discuss this. (Talking about the Wordpress and VMF framework things). We would like to help...
Report to administrator

Add comment

Security code