PrestaShop
Open source e-commerce platform for building an online store
Alternative to: shopify, woocommerce, bigcommerce, magento
1.7.6.5
2020-04-20Main fixes
Below are listed the 7 regressions that were found and fixed in this version, impacting both front-office and back-office :
Front-office regressions : When editing an address both in the customer account and checkout, a new address was created instead of replacing it - #18100 and #18072 Canonical redirects for products with combinations no longer worked, which could cause duplicate content #18279
Back-office regressions :
When adding a cart rule to an order from the back-office, the value discount was not correct #18630 Searching a category with the quick search no longer redirected to the category edition page - #17908 The help card was no longer displayed on view order and new employee pages #18279 and #18615 BO - Customer View page - Wrong number of “Last emails”
It was not possible to access the translation interface for the Serbian language - #18062
Security fixes
Props to rabhi for finding a lot of issues.
- Improper access control on product page with combinations, attachments and specific prices https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w
- Improper access control on product attributes page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r
- Improper access control on customers search https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq
- Improper Access Control https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm
- Reflected XSS related in import page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j
- Reflected XSS with back parameter https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh
- Reflected XSS on Exception page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5
- Reflected XSS on AdminCarts page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q
- Reflected XSS on Search page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv
- Reflected XSS with dashboard calendar https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx
- Open redirection when using back parameter https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc
- Reflected XSS on AdminFeatures page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93
- Reflected XSS on AdminAttributesGroups page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j
- Reflected XSS in security compromised page https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f
On modules: https://github.com/PrestaShop/ps_facetedsearch/security/advisories/GHSA-mmmv-m5q9-g3cm https://github.com/PrestaShop/ps_socialfollow/security/advisories/GHSA-774w-fg8p-7c8w https://github.com/PrestaShop/ps_linklist/security/advisories/GHSA-vr7g-vqp5-966j https://github.com/PrestaShop/ps_linklist/security/advisories/GHSA-cx2r-mf6x-55rx
More information about why it’s important to update: Improper Access Control Cross-site Scripting (XSS) Open Redirect (CWE-601)
Other main changes
Improve installation under CLI by adding the “rewrite” parameter in “index_cli.php” to enable the rewrite engine. https://github.com/PrestaShop/PrestaShop/pull/18491
Full Changelog
-
Back Office:
- Bug fix:
- #18637: Fix sidebar not displayed in BO Add employee page (by @Progi1984)
- #18607: Fix wrong number of “Last emails” in BO - Customer View page (by @PululuK)
- #17920: Wrong redirection when using the quick search for a category (by @PululuK)
- #18064: Fix error when trying to translate Serbian using the BO interface (by @eternoendless)
- Bug fix:
-
Front Office:
- Bug fix:
- #18633: Convert cart rule value when order currency is different (by @sowbiba)
- #18493: Change product redirection rules to redirect to valid attribute url (by @jolelievre)
- #18103: Duplicate address when submitting a form with errors (by @PierreRambaud)
- Bug fix:
-
Core:
- Improvement:
- #18638: Update version to 1.7.6.5 (by @PierreRambaud)
- Bug fix:
- #GHSA-cvjj-grfv-f56w - Improper access control on product page with combinations, attachments and specific prices (by @PierreRambaud)
- #GHSA-4wxg-33h3-3w5r - Improper access control on product attributes page (by @PierreRambaud)
- #GHSA-r6rp-6gv6-r9hq - Improper access control on customers search (by @PierreRambaud)
- #GHSA-74vp-ww64-w2gm - Improper Access Control (by @PierreRambaud)
- #GHSA-98j8-hvjv-x47j - Reflected XSS related in import page (by @PierreRambaud)
- #GHSA-j3r6-33hf-m8wh - Reflected XSS with back parameter (by @PierreRambaud)
- #GHSA-mrpj-67mq-3fr5 - Reflected XSS on Exception page (by @PierreRambaud)
- #GHSA-q6pr-42v5-v97q - Reflected XSS on AdminCarts page (by @PierreRambaud)
- #GHSA-rpg3-f23r-jmqv - Reflected XSS on Search page (by @PierreRambaud)
- #GHSA-m2x6-c2c6-pjrx - Reflected XSS with dashboard calendar (by @PierreRambaud)
- #GHSA-375w-q56h-h7qc - Open redirection when using back parameter (by @PierreRambaud)
- #GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminFeatures page (by @PierreRambaud)
- #GHSA-7fmr-5vcc-329j - Reflected XSS on AdminAttributesGroups page (by @PierreRambaud)
- #GHSA-48vj-vvr6-jj4f - Reflected XSS in security compromised page (by @PierreRambaud)
- Improvement:
-
Installer:
- Bug fix:
- #18491: Installation under CLI doesn’t take BASE_URI and Apache rewrite in consideration (by @PierreRambaud)
- #18451: Use scandir instead of readdir to get sorted entities (by @PierreRambaud)
- Bug fix:
-
Tests:
- Bug fix:
- #18309: Change test fixtures that need to be in the future (by @jolelievre)
- Bug fix: