PrestaShop 220.127.116.11 is now available. This maintenance release closes 5 pull requests, among which a security issue.
While this is not your regular, 15/20-pull-requests monthly patch release, 18.104.22.168 is an important upgrade nonetheless.
Fixing a security issue
Last week, our security team encountered a security issue in PrestaShop allowing a person with access to the back office to upload modules. This issue mainly concerns Addons contributors with back-office demos. Thank you Tomer Grassiany for your responsible disclosure of the issue, and your help with its resolution!
Our team acted swiftly, deleting back-office demos from PrestaShop Addons as a first security measure. We felt it was important to protect our community while we worked out a fix.
Version 22.214.171.124 contains the needed fixes to secure our Addons contributors.
The importance of this fix explains why this release has so few changes otherwise.
PrestaShop 1.6 will also benefit from this fix. Versions 126.96.36.199 contains the fix and is currently being reviewed. It will be released shortly.
What is responsible disclosure?
Responsible (and private) disclosure is a standard practice when someone encounters a security problem: before making it public, the discoverer informs the Core team about it, so that a fix can be prepared, and thus minimize the potential damage.
We have set up the email@example.com email address so that anyone can privately contact us with all the details about issues that affect the security of PrestaShop merchants or customers. Our security team will answer you, and discuss of a timeframe for your publication of the details.
This maintenance release also fixes a couple of other issues:
- Allow the access of CLDR JSON files.
- Change the CLDR URL.
- Fix an error on the module notifications page.
We are happy to deliver this sixth “patch” release of PrestaShop 188.8.131.52.
The Core team keeps working at fixing the issues that are reported to us, making regular improvements to the codebase. Have you found an issue in PrestaShop 1.7? Create a detailed Forge ticket, so that we can reproduce it and fix it!
The PrestaShop 184.108.40.206 changelog is available.
Since version 220.127.116.11 is a “patch” update to version 18.104.22.168, upgrading from that version will be easy: features will work better, and modules & themes which worked fine on 22.214.171.124 will work just as well with 126.96.36.199.