As we mentioned in the last news, VirtueMart is audited by different security companies. We are very happy that they found the persistent XSS attack before we released vm3.0.8, so the version vm3.0.8 already contains the fix.

The vulnerability discovered by Fortinet’sFortiGuard Labs with CVE number “CVE-2015-3619” is a persistent XSS attack. Contrary to non-persistent XSS, this kind of attack can be executed with almost nil interaction by the admin. The problem exists due to the javascript tooltips, which automatically decode the DOM value. So in certain circumstances it was possible to use a double encode combination of first_name, last_name and company to create a working js, which gets activated if an admin hoovers over the combined name of the order. So our fix contains two parts. One part makes it impossible to store dangerous values, the other part escapes the tooltips to prevent problems with old orders.

The fix in vm2admin.js is here
vm2admin.js rev=8828
In case you cannot update, just use the new vm2admin.js.

The other fixes are more complex and in different files and just prevent the problem for the future.

Please remember that all this fixes are already in vm3.0.8. This is just the disclosure.

Meanwhile we created a new vm3.0.9, which is also suitable for productive use. But test your "add to cart" popup. Also, editing of orders could behave differently.

Features:
- New Ordering "ordering, name", which sorts for ordering if available, then for name.
- If a product had more than one category and one was not publisehd it could happen that the selected category was the unpublished one. Is fixed.
- Order item edit now uses the same function as the create/update function, which allows to use the same triggers for manipulating storing of the data.
- "Give vendors switched in shoppers their rights", means a vendor switched into a shopper can still administrate the store.
- Klarna replaced serialize against json_encode
- Added the option to add js files inline (sometimes easier with ajax)
- Add to cart can now be stopped by another js using e.stopSendtocart == true
- Added test for the AIO to prevent blank page due to installion without proper VirtueMart core

http://dev.virtuemart.net/projects/virtuemart/files