VirtueMart 3.8.6 Security Release

VirtueMart 3.8.6 comes to address a new Cross-site Scripting (XSS) security vulnerability caused by the manufactuer dropdown which was found by 4N_CURZE.

The problem itself was easy to fix, although the value was whitelisted everywhere else, it was missing for the manufacturer drop-down list.

Besides, VirtueMart 3.8.6 also was added some new interesting features which are useful for real marketplaces, which offer products of different vendors. Multicart can be mentioned here. Multicart means for a multi-vendor shop, that there is an extra cart for each vendor. So when a customer buys products from different vendors he needs to do a checkout for every vendor.

Another new feature is payment/shipment restrictions by coupons. It can be used to offer customers other payment methods over the phone or for marketing campaigns like “use this coupon to get free shipment”.

VirtueMart 3.8.6 introduced a required characters check, the toggleCartButton.js with MIT license. Then the textinput plugin can now be used for mandatory text. The VirtueMart recaptcha system also was improved to work according to the new Joomla standards and any Joomla captcha plugin.

 

 

New Features, Improvements for Multivendor

  • Added MultiCart system
  • Cart module, replaced link to cart against button, old links should still work
  • Vendor dropdown for Categories
  • Added the feature that subvendors can check orders, but only if at least one product of them is on the order

Extended Features

  • Added shipment/payment restriction by Coupon
  • Added required chars to the textinput plugin
  • Added layout orderdone for weight_countries plugin, which can be used to override the standard output
  • Added a warning to the vmconfig if the price config is overwritten by shoppergroups.
  • Product edit view and model, added filter for published/unpublished, added searching of products in multiple categories

Language

  • Added VM config setting ReInjectJLanguage, which replaces the Joomla JLanguage object with VmLanguage
  • Update for the VirtueMart System Plugin, for multilanguage as it may be useful to load the VM config always first
  • Replaced $languages = JLanguageHelper::createLanguageList against $JLanguages = JHtml::_(‘contentlanguage.existing’)

Security

  • XSS leak fixed in manufacturer dropdown
  • Recaptcha Overhaul by StAn of RuposTel

Payments

  • PayPal refund configuration option to prevent VM generating a request for PayPal refund
  • Small paypal enhancement, inspired by RuposTel and written by Quorvia

Development

  • category model added function getChildCategoryListObjectByCachedOption which is now used by getChildCategoryList and getChildCategoryListObjectByCachedOption
  • function getSafePathFor can now be used to create any kind of subfolder
  • custom model, directTrigger for plgVmDeclarePluginParamsCustomVM3 and plgVmGetTablePluginParams vmplugin.php enhanced function declarePluginParams
  • Fixed customfield model cache. We load now always all attributes and cache that. and we use directTrigger for plgVmDeclarePluginParamsCustomVM3
  • user model, added cache
  • user model, set the function “setId” to deprecated. The use of the internal id as pointer is useless. The function getUser should now be called with id, but usese as fallback the old $this->_id construction
  • userfield model added JPluginHelper::importPlugin(‘user’); to the getUserFieldsFor function
  • iStraxx added the toggleCartButton.js with MIT license, need for the textinput required letters.
  • Invoice, the product is always reloaded to create the item

Fixes

  • Small fix for coupons using the correct language
  • Fixed that Calculation rules were not including the given end day, because the hours and seconds were not set
  • added registration of Vm Controller and View to massxref.php
  • vmTable warning if a key of the params is accidently empty
  • Added _genericVendorId to vmtable and fallback
  • tables/order_items.php added the very important $this->_genericVendorId = false to fix virtuemart_vendor_id of order items.
  • Updates for the joomla fullinstaller
  • little fix for updatesmigration in case of multivendor store
  • little fix for the tableupdater to prevent notice.
  • important fix for the backend user view to ensure that the correct addresses are loaded.
  • fixes for tcpdf to work on higher php versions
  • fixed function updateCategory for the xref data
  • fixed tooltip in config (check for existing lang key did not work the old way anylonger)
  • mail_raw_pricelist.php replaced $item->product_final_price against $item->product_subtotal_with_tax

Thanks for reading!

» Browse for all VirtueMart Templates

» Browse for all VirtueMart Extensions

Leave a Reply

Your email address will not be published. Required fields are marked *