• Security Release VirtueMart 3.8.6 Closing an XSS Vulnerability

    A new XSS was found by 4N_CURZE (https://www.openbugbounty.org/researchers/4N_CURZE/). It took a while to reproduce it, because it was caused by the manufactuer dropdown, which is not always activated. The problem itself was easy to fix, although the value was whitelisted everywhere else, it was missing for the manufacturer drop-down list. Since the previous release some features got added. The long desired multicart system got implemented. Multicart means for a multi-vendor shop, that there is...

    Read More ...

Component Type: VirtueMart Core. The affected files are part of the standard VirtueMart Distribution.

Affected Versions:
VirtueMart Version 1.1.4 and all versions below.

Vulnerability Type: SQL Injection.

Severity: HIGH.

Problem Description:
It's possible for an attacker with administrator permissions to manipulate or gain information from the database with a specially crafted URL.

Solution: An patch is available that contains new versions of the affected files: SecurityFix_vm114_012910.zip.

General advice:

Follow the recommendations from the Joomla! Administrator's Security Checklist and the Security & Performance FAQ for Joomla!. This way you get basic security for your Store.
Keep notice of the VirtueMart Security Bulletins.

Testimonial

I just wanted to let you know how impressed I am with Virtuemart now. I had toyed around with Virtuemart earlier in 2008 and it is amazing at the difference between there and now. You people are doing great work!

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.