New Features in PrestaShop 22.214.171.124
The ongoing work on security for PrestaShop software continues. We have identified and fixed new minor security issues and since we don’t expect PrestaShop 126.96.36.199 final to be released before a few weeks, it has been decided to deliver a new maintenance release for 1.7.6.X branch.
Similarly to 188.8.131.52, this maintenance release fixes not only regressions found on versions 184.108.40.206 to 220.127.116.11, but also a few security issues from 1.5, 1.6 and 1.7 versions. This is again a result of the huge work on security going on in 2020 to make PrestaShop software safer. PrestaShop will continue focusing more and more on security to ensure that no security breaches, even minor ones such as permission issues, are left out in the core.
As this patch fixes several security issues, we highly recommend to upgrade your shop as soon as possible. Of course, as always, don’t forget to backup before.
Reminder: the 1-Click Upgrade module’s latest version is v4.10.1, don’t forget to upgrade it.
Below are listed the 6 regressions that were found and fixed in this version:
- A BC break was mistakenly introduced in 18.104.22.168 on some selectors in the front-office #18509
- It was not possible to use Stocks page without the rights for Translation page #19713
- Bad button color in Modules pages modal window #9699
- No success message in Customer page after editing a voucher #18842
- It was not possible to update currencies using the Webservice #18865
- There was an error at the end of the upgrade if it was run manually #18723
7 security fixes have been included in this patch version:
- External control of configuration setting in the dashboard (security advisory)
- Improper access controls in Carrier page, Module Manager and Module Positions (security advisory)
- Improper authentication (security advisory)
- Reflected XSS in product page (security advisory)
- Stored XSS in AdminQuickAccesses (security advisory)
- Information disclosure in release archive (security advisory)
- Information exposure in upload directory (security advisory)
More information about why it is important to update:
- External Control of System or Configuration Setting
- Improper Access Control
- Improper Authentication – Generic (CWE-287)
- Cross-site Scripting (XSS)
- Open Redirect (CWE-601)
- Information Exposure Through Directory Listing (CWE-548)
- Information Disclosure (CWE-200)
In order to correctly handle user session expiration, two new SQL tables have been added to PrestaShop MySQL schema:
ps_employee_session. These SQL tables are used for security purposes.
Breaking or risky changes
Dashboard modules can no longer use
AdminDashboardController::ajaxProcessSaveDashConfig() to save values. This is not possible anymore in PrestaShop 22.214.171.124 in order to enforce the shop’s security.
A bug fix included in 126.96.36.199 required changing a CSS selector in the Front Office’s product page and rendering it more specific. However, this new selector did not work with some third party themes which were based on Classic. In 188.8.131.52, a new generic selector has been added:
.product-container. If you are a theme developer, make sure to add this class to the appropriate container on your product page in order to allow your product page to be refreshed on changes.