A new XSS was found by 4N_CURZE (https://www.openbugbounty.org/researchers/4N_CURZE/). It took a while to reproduce it, because it was caused by the manufactuer dropdown, which is not always activated. The problem itself was easy to fix, although the value was whitelisted everywhere else, it was missing for the manufacturer drop-down list.
Since the previous release some features got added. The long desired multicart system got implemented. Multicart means for a multi-vendor shop, that there is an extra cart for each vendor. So when a customer buys products from different vendors he needs to do a checkout for every vendor. This system is very interesting for real marketplaces, which offer products of different vendors.
Another nice new feature are payment/shipment restrictions by coupons. This can be used to offer customers other payment methods over the phone, such as bank transfer for example. Or it can be used for marketing campaigns like "use this coupon to get free shipment".
The textinput plugin can now be used for mandatory text, as we have introduced a required characters check. iStraxx contributed the toggleCartButton.js with MIT license for the required characters check.
StAn of RuposTel has provided a useful overhaul of the VirtueMart recaptcha system. It now works according to the new Joomla standards and works with any joomla captcha plugin. Read more about this on docs.virtuemart.net
DOWNLOAD VM3 NOW
VirtueMart 3 component (core and AIO)
Multivendor:
- Added MultiCart system
- Cart module, replaced link to cart against button, old links should still work
- Vendor dropdown for Categories.
- Added the feature that subvendors can check orders, but only if at least one product of them is on the order.
Extended features
- Added shipment/payment restriction by Coupon
- Added required chars to the textinput plugin
- Added layout orderdone for weight_countries plugin, which can be used to override the standard output
- Added a warning to the vmconfig if the price config is overwritten by shoppergroups.
- Product edit view and model, added filter for published/unpublished, added searching of products in multiple categories
Language:
- Added VM config setting ReInjectJLanguage, which replaces the Joomla JLanguage object with VmLanguage
- Update for the VirtueMart System Plugin, for multilanguage as it may be useful to load the VM config always first
- Replaced $languages = JLanguageHelper::createLanguageList against $JLanguages = JHtml::_('contentlanguage.existing')
Security:
- XSS leak fixed in manufacturer dropdown
- Recaptcha Overhaul by StAn of RuposTel
Payments:
- PayPal refund configuration option to prevent VM generating a request for PayPal refund
- Small paypal enhancement, inspired by RuposTel and written by Quorvia
Development:
- category model added function getChildCategoryListObjectByCachedOption which is now used by getChildCategoryList and getChildCategoryListObjectByCachedOption
- function getSafePathFor can now be used to create any kind of subfolder
- custom model, directTrigger for plgVmDeclarePluginParamsCustomVM3 and plgVmGetTablePluginParams vmplugin.php enhanced function declarePluginParams
- Fixed customfield model cache. We load now always all attributes and cache that. and we use directTrigger for plgVmDeclarePluginParamsCustomVM3
- user model, added cache
- user model, set the function "setId" to deprecated. The use of the internal id as pointer is useless. The function getUser should now be called with id, but usese as fallback the old $this->_id construction
- userfield model added JPluginHelper::importPlugin('user'); to the getUserFieldsFor function
- iStraxx added the toggleCartButton.js with MIT license, need for the textinput required letters.
- Invoice, the product is always reloaded to create the item.
Fixes:
- Small fix for coupons using the correct language
- Fixed that Calculation rules were not including the given end day, because the hours and seconds were not set
- added registration of Vm Controller and View to massxref.php
- vmTable warning if a key of the params is accidently empty
- Added _genericVendorId to vmtable and fallback
- tables/order_items.php added the very important $this->_genericVendorId = false to fix virtuemart_vendor_id of order items.
- Updates for the joomla fullinstaller
- little fix for updatesmigration in case of multivendor store
- little fix for the tableupdater to prevent notice.
- important fix for the backend user view to ensure that the correct addresses are loaded.
- fixes for tcpdf to work on higher php versions
- fixed function updateCategory for the xref data
- fixed tooltip in config (check for existing lang key did not work the old way anylonger)
- mail_raw_pricelist.php replaced $item->product_final_price against $item->product_subtotal_with_tax