The version 2.1.3 of Thelia was released and includes a security fix.
We found an authentication bypass for customer and admin. This vulnerability is present from version 2.1.0-beta1 and is fixed in 2.1.3 and 2.2.0-alpha1.
Here is the complete changelog :
- Add \Thelia\Model\OrderProduct::setCartItemId and \Thelia\Model\OrderProduct::getCartItemId to remove the typo with cartIemId
- A notice is displayed when the product’s template is changed
- Security fix on authentication
- Rename cookie related config variables. They were prefixed with “thelia_” on insert, but not in the code
- \Thelia\Model\OrderProduct::setCartIemId Because of a typo
- \Thelia\Model\OrderProduct::getCartIemId Because of a typo too