The version 2.1.2 of Thelia was released and includes a security fix.
Simon Vieille from web&design has reported a XSS injection present in the BackOffice of Thelia (error.html template). This vulnaberability is present in version 2.1.0 and 2.1.1 but not version 2.0.*
Here is the complete changelog :
- Add the possibility to delete a coupon from the backoffice.
- module list is now reversed. Delivery modules appear first, then payment and finally classic modules.
- display a loader when a module is uploaded
- Change product prices export and import format to be compatible, now using product_sale_elements id as key to identify PSE.
- Fix unused variable in Thelia\Controller\Api\CustomerController::getDeleteEvent
- change default order for cart loop.
- Add missing static keyword for Thelia\Core\HttpFoundation\JsonResponse::createError
- Do not register previous url on XmlHttpRequest
- Fix deploy image directory destination
- Fix redirect response if a AuthenticationException is catched
- Prevent XSS injection in error.html template
- The hook method is now stored in the ignored_module_hook table
- Allow to hardlink TinyMCE rather than symlink
- Add bootstrap paths for thelia-project
- Enlarge order dropdown menu to prevent wrapping in some languages
- Fixed langugage when previewing e-mails
Download version 2.1.2Read more →