Main fixes
Below are listed the 7 regressions that were found and fixed in this version, impacting both front-office and back-office :
Front-office regressions :
When editing an address both in the customer account and checkout, a new address was created instead of replacing it - #18100 and #18072
Canonical redirects for products with combinations no longer worked, which could cause duplicate content #18279
Back-office regressions :
When adding a cart rule to an order from the back-office, the value discount was not correct #18630
Searching a category with the quick search no longer redirected to the category edition page - #17908
The help card was no longer displayed on view order and new employee pages #18279 and #18615
BO - Customer View page - Wrong number of "Last emails"
It was not possible to access the translation interface for the Serbian language - #18062
Security fixes
Props to rabhi for finding a lot of issues.
- Improper access control on product page with combinations, attachments and specific prices
GHSA-cvjj-grfv-f56w - Improper access control on product attributes page
GHSA-4wxg-33h3-3w5r - Improper access control on customers search
GHSA-r6rp-6gv6-r9hq - Improper Access Control
GHSA-74vp-ww64-w2gm - Reflected XSS related in import page
GHSA-98j8-hvjv-x47j - Reflected XSS with back parameter
GHSA-j3r6-33hf-m8wh - Reflected XSS on Exception page
GHSA-mrpj-67mq-3fr5 - Reflected XSS on AdminCarts page
GHSA-q6pr-42v5-v97q - Reflected XSS on Search page
GHSA-rpg3-f23r-jmqv - Reflected XSS with dashboard calendar
GHSA-m2x6-c2c6-pjrx - Open redirection when using back parameter
GHSA-375w-q56h-h7qc - Reflected XSS on AdminFeatures page
GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminAttributesGroups page
GHSA-7fmr-5vcc-329j - Reflected XSS in security compromised page
GHSA-48vj-vvr6-jj4f
On modules:
GHSA-mmmv-m5q9-g3cm
GHSA-774w-fg8p-7c8w
GHSA-vr7g-vqp5-966j
GHSA-cx2r-mf6x-55rx
More information about why it’s important to update:
Improper Access Control
Cross-site Scripting (XSS)
Open Redirect (CWE-601)
Other main changes
Improve installation under CLI by adding the “rewrite” parameter in “index_cli.php” to enable the rewrite engine.
#18491
Full Changelog
-
Back Office:
- Bug fix:
- #18637: Fix sidebar not displayed in BO Add employee page (by @Progi1984)
- #18607: Fix wrong number of "Last emails" in BO - Customer View page (by @PululuK)
- #17920: Wrong redirection when using the quick search for a category (by @PululuK)
- #18064: Fix error when trying to translate Serbian using the BO interface (by @eternoendless)
- Bug fix:
-
Front Office:
- Bug fix:
- #18633: Convert cart rule value when order currency is different (by @sowbiba)
- #18493: Change product redirection rules to redirect to valid attribute url (by @jolelievre)
- #18103: Duplicate address when submitting a form with errors (by @PierreRambaud)
- Bug fix:
-
Core:
- Improvement:
- #18638: Update version to 1.7.6.5 (by @PierreRambaud)
- Bug fix:
- #GHSA-cvjj-grfv-f56w - Improper access control on product page with combinations, attachments and specific prices (by @PierreRambaud)
- #GHSA-4wxg-33h3-3w5r - Improper access control on product attributes page (by @PierreRambaud)
- #GHSA-r6rp-6gv6-r9hq - Improper access control on customers search (by @PierreRambaud)
- #GHSA-74vp-ww64-w2gm - Improper Access Control (by @PierreRambaud)
- #GHSA-98j8-hvjv-x47j - Reflected XSS related in import page (by @PierreRambaud)
- #GHSA-j3r6-33hf-m8wh - Reflected XSS with back parameter (by @PierreRambaud)
- #GHSA-mrpj-67mq-3fr5 - Reflected XSS on Exception page (by @PierreRambaud)
- #GHSA-q6pr-42v5-v97q - Reflected XSS on AdminCarts page (by @PierreRambaud)
- #GHSA-rpg3-f23r-jmqv - Reflected XSS on Search page (by @PierreRambaud)
- #GHSA-m2x6-c2c6-pjrx - Reflected XSS with dashboard calendar (by @PierreRambaud)
- #GHSA-375w-q56h-h7qc - Open redirection when using back parameter (by @PierreRambaud)
- #GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminFeatures page (by @PierreRambaud)
- #GHSA-7fmr-5vcc-329j - Reflected XSS on AdminAttributesGroups page (by @PierreRambaud)
- #GHSA-48vj-vvr6-jj4f - Reflected XSS in security compromised page (by @PierreRambaud)
- Improvement:
-
Installer:
- Bug fix:
- #18491: Installation under CLI doesn't take BASE_URI and Apache rewrite in consideration (by @PierreRambaud)
- #18451: Use scandir instead of readdir to get sorted entities (by @PierreRambaud)
- Bug fix:
-
Tests:
- Bug fix:
- #18309: Change test fixtures that need to be in the future (by @jolelievre)
- Bug fix: