A few months ago, the PrestaShop core team has decided to make a forthright patch release process and deliver patch versions on a more regular basis, every time it’s needed. So here we are, 6 weeks after the release of 18.104.22.168, PrestaShop 22.214.171.124 is now available!
This maintenance release is a bit special as it does not only fix regressions found on version 126.96.36.199 to 188.8.131.52, but it also has put a focus on fixing many security issues, from 1.5, 1.6 and 1.7 versions. This is a result of a huge work on security which has been started a few weeks ago to ensure more security on the PrestaShop software. In the near future, PrestaShop will focus more and more on security to ensure that no security breaches, even minor ones such as permission issues, are left out in the core.
As this patch fixes several security issues, we highly recommend to upgrade your shop as soon as possible. Of course, as always, don’t forget to backup before.
Reminder: the 1-Click Upgrade module’s latest version is v4.10.1, don’t forget to upgrade it.
Below are listed the 7 regressions that were found and fixed in this version, impacting both front-office and back-office.
- When editing an address both in the customer account and checkout, a new address was created instead of replacing it - #18100 and #18072
- Canonical redirects for products with combinations no longer worked, which could cause duplicate content #18279
- When adding a cart rule to an order from the back-office, the value discount was not correct #18630
- Searching a category with the quick search no longer redirected to the category edition page - #17908
- The help card was no longer displayed on view order and new employee pages - #18279 and #18615
- In the customer view page, the number of “last emails” was incorrect - #18602
- It was not possible to access the translation interface for the Serbian language - #18062
Some security fixes have been included in this patch version to ensure an improved core reliability. Thanks a lot to Rabhi for finding a lot of these issues !
Improper access controls:
- on product page with combinations, attachments and specific prices (security advisory)
- on product attributes page (security advisory)
- on customers search (security advisory)
- on several other pages (security advisory)
- related in import page (security advisory)
- with back parameter (security advisory)
- on Exception page (security advisory)
- on AdminCarts page (security advisory)
- on Search page (security advisory)
- on dashboard calendar (security advisory)
- on AdminFeatures page (security advisor)
- on AdminAttributesGroups page (security advisory)
- in security compromised page (security advisory)
- with the back parameter (security advisory)
A few security issues have also been fixed on native modules:
- Faceted Search - Reflected XSS with url_name parameter (security advisory)
- Social follow - Reflected XSS with social networks fields (security advisory)
- Link List - Stored XSS on back office edit page (security advisory) and stored XSS with custom URLs (security advisory)
More information about why it’s important to update:
Other main changes
Improved installation under CLI by adding the “rewrite” parameter in “index_cli.php” to enable the rewrite engine (Pull request #18491).
Read the full changelog here.
Contributors to this patch version, from both the Core team and the community at large: Franck Lefèvre, Ibrahima Sow, Jonathan Lelievre, Louise Bonnard, Matthieu Rolland, Pablo Borowicz, Pierre Rambaud, PululuK. Thank you!
Since version 184.108.40.206 is a “patch” update to version 220.127.116.11, upgrading from any 1.7.6 version will be easy: features will work better, and modules & themes which worked fine on 1.7.6.x will work just as well with 18.104.22.168. Upgrades from a standard 1.7.x version should work just as well.