Headline

CVE-2021-42051: Releases · abantecart/abantecart-src

An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.

2 years ago

CVE

Open in Source

#sql #xss #csrf #vulnerability #web #google #linux #js #git #java

AbanteCart version 1.3.2

In this release:

Core:

PHP v8.0 Compatibility
Page builder supportability
Magic methods support in the hook classes
core/engine/extension.php improvement (see commit for details)
DOM Based Cross-Site Scripting fix
added restrictions for available shipping methods during checkoout
Maximum Weight of Parcel #1497
Added dimensions and weight into order products
default Resource library Types icons + Retina fix
changes related to page builder + fix of extensions hook calls
phar internal corruption resolution #1504
SVG File type suppoer a& validation
Options value weight class follow the products base weight class
Query optimization for MariaDB
Email base64 encoding
Multistore subdomain fixes
Multistore template selection fixes

Admin:

added validation for svg/svgz files on script calls inside.
Product form volume validation #1496
improvement of Tabs on product and category edit pages
tables size calculation fix
weight description fix in the option values table
extensions grid & extension summary section
New resource library type icons
Product options SKU display
Backup fix and improvement
Embed bug fixes
global search bug fix
Taxes report fix

Storefront:

Login Display Prices OFF block issue #1493
Shipping limits by weight volume #1495
Minimal order parcel size volume not work #1499
“Wrong Dimensions of product” error #1498
jquery.flexyslider upgraded to v2.7.2
custom.js improvement
Fastcheckout improvement and fixes
Coupon session fix
Brands block improvement

Extensions:

Number of new hooks for expandability
CardKnox payment instance id issue resolution

AbanteCart version 1.3.1

In this release:

Core: taskManager. fix of error output
Core: ALoader improvement. Added debug backtrace
Core: added Date product option type ACORN-108
minimal php version now 7.3.0
Core: ACart minor improvements
Core: core/lib/config.php fixes related to seo-postfix and config store id type cast
Core+ SF: changes related to virtual products purchasing (gift certificates etc)
Core: changes related to virtual products purchasing (gift certificates etc)
Core: changes related to AResource::getMainThumbList() method.
Core: add hook to category_top, category_bottom block and manufacturer page
Core: changes related to virtual products purchasing (gift certificates etc)
Core+ SF: changes related to virtual products purchasing (gift certificates etc)
Core: html-class improvement (number, email input types)
Core: AResource minor improvement
Core: core/engine/extensions reformatting
Core: ALayout improvement related to hooks
Core: AResource bug fix

Admin:

Admin: ACORN-563 embed in multistore fix
Admin: general.js fix related to tasks ACORN-554
Admin: collection controller fix
Admin: global search improvement, added search by sku ACORN-549
Admin: collection controller fix
Admin: email templates controller and model code improvements
Admin: fix related to cdn-image-downloads from import csv-file
Admin: added hook calls into customer controller
Admin: order details minor improvement of tpl
Admin: added check for extensions layouts xml into template installation and template switch processes
Admin: fix for storefront_order_confirm email template
Admin: collection model fix
Admin: lib configManager fix
Admin: order totals grid improvement (related to predefined sort and calculation orders for balance and total)
Admin: collection form js-fix
Admin: language manager fix related to auto-translations
Admin: package manager fix. Added “tax” extension type + reformatting
Admin: package manager fix. Added “tax” extension type + reformatting
Admin: sale/contact email RL-image’s URL fix
Admin: product option value url fix
Admin: controller for downloading file improvement

Storefront:

improvement related to option value images
ACORN-561 guest and logged in customer sessions fix
fast checkout payment fix ACORN-560
Request add cost column method (#1485)
ACORN-559 fast checkout order summary tax display fix
ACORN-552 taxes report: incorrect orders count
Guest Checkout Create Account feature fix ACORN-557
ACORN-558 base product weight field description
upgrade scripts fixes
Add product option cost (#1484)
ACORN-553 banner group name issue fix
ACORN-551 “add to cart” buttons on home page blocks
#1472 typo fix
fix ACORN-548 embed: options values images
fix ACORN-267 Pickup from Store use the store address for taxes
#1464 wordpress embed fast checkout buttons fix
#1483 embed fix
embed code default height fix
ACORN-550 Typed property ControllerPagesCatalogCollections::$error fix
#1472 fileinfo PHP extension check to the 1.3 installation and upgrade
#1464 mobile add to cart buttons fix
fix ACORN-255 Import wizard category split separator
ACORN-547 FastCheckout fix
#1482 WordPress 5.8 SameSite cookie issue
#1473 default_ups. reformatted code
#1472 system requirements refactoring
#1472 minimal version of php now 7.4
#1457 extra white space in front of the email headers
add hooks to admin order details and order invoice (#1480)
Storefront: order details minor improvement of tpls
Collection model fix
Account/logout controller improvement
Catalog/collection model fix
Rounding fix related to taxes and 3 digits after decimal points. ref. https://forum.abantecart.com/index.php?topic=9072.new;topicseen#new
add the label id and the additional hook (#1474)
add hook, change hook location and change private $error to public $error (#1469)
FastCheckout shipping method icon fix
add hooks to templates and admin product options page (#1467)
FastCheckout: added hook vars call into tpls

Extensions:

avatax improvement related to getting taxLines
FastCheckout stripe address line fix ACORN-318
Default Stripe minor fix ACORN-318
Avatax fix
authorizenet error in php v8 (#1479)
FastCheckout. changed default sort order (run order) from 1 to 10
FastCheckout installation improvement (adding layouts to custom templates)
Avatax fix

AbanteCart version 1.3.0

In this release, we bring a few new features

Core:

Wodrpress integration support
PHP v8.0 support
jQuery upgrade to v3.5.1
Resource Library images path improvement
New Get Embed code modal. Embed links code and copy
Added error reporting levels support based on settings
SSL detection improvement
Same site cookies fix
tinyMCE editor update
AMail class remove of final and change private to protected properties
Deprecated HTML Page cache
Overall cache fixes and improvement

Control Panel:

Dashboard new icons
Default extensions new icons
Category selector multi-store display
Product and categories grid new bulk action
Grid filters improvements
Email preview page
show map for order address. Google Maps API
order recalculation fix related to adding total in not default currency
сontroller/pages/extension. added hook call
model language fix related to mysql8
Crontab help with ready to run Linux command
Resource library drag-n-drop fix

Storefront:

Multilingual store logo support
Same domain multi-store support
Improved phone validation and Regex Pattern setting
Allow coupons to be assigned per category
Reformat of account/edit controller
Search in product descriptions now includes blurb field
Controller account subscriber fix related to hook calls
performance improvement of onlineNow model
responses/product/product added backward compatibility
Fast checkout is now default and standard checkout is deprecated (will be removed in 1.3.2).

Core Extensions:

Additional extension hooks for AOrder and ACartclases and improve extensions API
Allow extending of ADownload class
Cardknox new payment extension
PayPal standard store logo fixes
2Checkout sandbox deprecated
PayPal Express totals details
Local delivery Tax class selection
Update default local delivery to work with asterisk/wildcard
Fast Checkout summary tax fixes
Fast checkout downloads email fix
Fast checkout requires a phone number for registered customer
Fast checkout form validations improvements
cardconnect currency admin display fix
Neowise deprecated
Stripe account transactions list fix
Stripe Added Account ID
Stripe publishable key fix
shipping extensions grid fix

Additional improvements and bug fixes reported on the forum and GitHub.

AbanteCart version 1.3.0

In this release, we bring a few new features

Core:

Wodrpress integration support
PHP v8.0 support
jQuery upgrade to v3.5.1
Resource Library images path improvement
New Get Embed code modal. Embed links code and copy
Added error reporting levels support based on settings
SSL detection improvement
Same site cookies fix
tinyMCE editor update
AMail class remove of final and change private to protected properties
Deprecated HTML Page cache
Overall cache fixes and improvement

Control Panel:

Dashboard new icons
Default extensions new icons
Category selector multi-store display
Product and categories grid new bulk action
Grid filters improvements
Email preview page
show map for order address. Google Maps API
order recalculation fix related to adding total in not default currency
ontroller/pages/extension. added hook call
model language fix related to mysql8
Crontab help with ready to run Linux command
Resource library drag-n-drop fix

Storefront:

Multilingual store logo support
Same domain multi-store support
Improved phone validation and Regex Pattern setting
Allow coupons to be assigned per category
Reformat of account/edit controller
Search in product descriptions now includes blurb field
Controller account subscriber fix related to hook calls
performance improvement of onlineNow model
responses/product/product added backward compatibility

Core Extensions:

Aditional extension hooks for AOrder and ACartclases and improve extensions API
Allow extending of ADownload class
Cardknox new payment extension
PayPal standard store logo fixes
2Checkout sandbox deprecated
PayPal Express totals details
Local delivery Tax class selection
Update default local delivery to work with asterisk/wildcard
Fast Checkout summary tax fixes
Fast checkout downloads email fix
Fast checkout require a phone number for registered customer
Fast checkout form validations improvements
cardconnect currency admin display fix
Neowise deprecated
Stripe account transactions list fix
Stripe Added Account ID
Stripe publishable key fix
shipping extensions grid fix

Additional improvements and bug fixes reported on the forum and GitHub.

In this release, we bring a few new features, such as one-page fast checkout, product collections, email templates, local delivery, and others.
AbanteCart v1.2.16 also includes a number of improvements and fixes based on customer feedback.

Core:

PHP v7.4 support
Webp image format support
Append php call stack into db-driver exception
HTML Cache deprecated
Improve tax class
Add Mustache library
Parameter tampering fix: Price manipulation of products
Enforce same-origin iframe use only

Control Panel:

Additional settings for local business into the store details page
Products/categories/brands collections
New product review settings and management
Stock auto-disable fix
Order edits, currency handling on different browsers
Bugfix with multi-currency order recalculation
Email templates and management
Product import bug fix
Listing grid icons and CSS updates
Set minimal search chars of 2 for ajax chosen
mce-editor JavaScript fix

Storefront:

Google Recaptcha V3 support
Fast one-page checkout
improvement validation of parameters for a few methods of catalog/product model.
A country without States issue fix
Google Tag Management

Core Extensions:

New Fast one page checkout
New Local Delivery shipment
default_stripe added 3d-secure support. 3d-party library updated
default_cod minor fixes
LiqPay upgrade
Realex upgrade
Cardconnect upgrade
Payza payment deprecated

Improvements and bug fixes reported on the forum and GitHub.

This is unplanned release to provide clarity and better interface for multi-location stock management.
Release includes fixes to multi-location stock management as well

Core:

Stock multi-locations support improvement
Mysql strict mode improvement (#1236)
Added default value for invoice_prefix
Add ability to import product option images
Added buffering into apdomysql driver
Tax order total’s calculation order improvement
Package manager sql error handle
Added Manila zone to location data

Control Panel:

Added multi-locations support to order edit page
Menu and dashboard display now reflects user permissions
Return to stock order edit page corrections.
Balance order total now readonly

Storefront:

Shopping Cart page fix related to tax included in the price (#1269)
Correction to images display for product options in shopping cart and product details pages
Listings Out of Stock and Call to Order fixes
Availability fix in product details page

Extensions:

PayPal express minor fix (#1267)

Improvements and bug fixes reported on the forum and github.

This release comes with improvements, bug fixes and default extension updates.

Core:

Stock multi-locations support for products and options
Testing with PHP 7.3 and warnings resolution
Testing with MySQL 8.0 and warnings resolution
Error backtrace and handling improvement
Refactoring related to csrf-tokens and backward compatibility
Cache related bug fixes and improvements
Fix to get remote IP while server behind Cloudflare or proxy
MySQL driver improvement
Product sorting cross-site scripting vulnerability fix

Control Panel:

improvement of scheduled tasks running
Added column sku into order_products and order_options tables
Improve product tags filtering on product create and update
Improved UI for switch (on/off) buttons
Multi-store custom block content support
Product tags improvement
Multi-store blocks handling improvement
Form Manager fix for checkboxgroup/multiselectbox field type

Storefront:

Added product listing layout
Manufacturers listing block fix
Menu language related bug fix
added new data-sources for auto-listing block (manufacturers, featured, bestsellers,latest)
Show options specific image for product in the cart and after purchase
Set logo container to be fixed width/height
Embed mode JavaScript error bug fix.
Google Analytics ecommerce tracking fix

Extensions:

Deprecated Authorize.net AIM payment and replaced with new one
Stripe API and SDK update
Fix for partial payment issue with PayPal payment (in case of partial store credit)
Resolved issue with PayPal refund with non-default currency.

API:

Added subcategories handling to Storefront API

A list of improvements and bug fixes reported on the forum and github.

This release comes with improvements, bug fixes and default extension updates.

Core:

Testing with PHP 7.2 and warnings resolution
ARouter fix related to \0 at the end of route and further improvement
cache file driver minor fix
sql fix in store_description table
improved error handling in response controllers when not found
Fix for duplicating images on import
PHP files reformating to PSR

Control Panel:

TinyMCE updated to v4.7.10
improve SQL error handling in product creation
Added save to store ID in case of missing category
extension settings saving improvement
task modal js-fix related to attempts on fail requests

Storefront:

minor fix of product-controller related to “rating” html-field
Add activation link resend option
Add CSS class to BODY tag to identify pages.

Extensions:

PayPal Standard and Express Improvment
Avatax integration
Fixes in CardConnect
Stripe payment update
Twilio update
Neowize terms and conditions link update
Update for encryption extension

API:

Add SEO data returned to API
Fix for latest product API and currency conversion rounding (rare case)

Number of improvements and bug fixes reported on the forum and github.

This release comes with minor improvements and bug fixes.

Core:

jQuery update
AResponse fix related to compression and embed-js
cache file driver minor fix

Control Panel:

fixed quantity field in products grid. Now calculation based on option quantity
added registration date to customer profile
content pages SEO improve
coupon grid refine fix

Storefront:

localization/country model improvement
minor improvement of guest_step_1 page post-data values validation
product page tpl js-improvement
embed products special chars improve

Extensions:

banktransfer minor js-fix
worldpay fix contribution
paypal standard improvements
paypal express improvements
USPS domestic methods improvements

Other bug fixes and improvements

Core:

added new product option type “Label” for display only purpose
minor improvement of core/lib/config.php related to cli-mode
Added URL into error text when wrong key_param-key_value pair
ahtml class fix related to https as plain store url
added jpeg warning ignoring via ini_set into AImage class
improved ExtensionsAPI class and extension settings page controller
added iso_codes for weight and length classes
AResource class minor improvement
message-info controller minor fix related to hooks-call
image url fix related to api-controllers. Now all urls will be without protocol (with // at the begin)
Depricate Mcrypt and replace with OpenSSL
Added CLI interface to run tasks
minor fix of order class