Fixed security issues:
- Blind SQL-injection in DAL aggregations
- Broken ACL on Document retrieval to access other customers documents
- Denial Of Service via password length (@bsmietana)
- Check for registered accounts through the store-api (@niklaswolf)
Other changes:
- #3476 - NEXT-33504 - fix: Allow
association_fieldsofmedia_default_folderto be nullable (@aragon999) - #3486 - NEXT-32844 - fix(elasticsearch): Add separator to admin ES search indexer queries (@M-arcus)
- #3494 - NEXT-30575 - fix(core): Remove HTML sanitization from mail header and footer fields (@M-arcus)
- #3518 - NEXT-33235 - perf: Only use
searchIdsfor import id resolving (@aragon999) - #3567 - NEXT-34491 - NEXT-14691 - Add pseudo modal twig blocks (@lacknere)
- #3579 - NEXT-34070 - Improved seo url replacer (@akf-bw)
- #3580 - NEXT-34102 - Add new block in analytics template (@wannevancamp)
- #3605 - NEXT-34399 - Update action.html.twig to include css class for detail button (@choeft)
- #3611 - NEXT-34676 - Update ProductDetailRoute.php (@aneufeld23)
- #3684 - NEXT-36143 - feat: resolve extension parameters in compiler passes (@Ocarthon)
- #3718 - NEXT-36288 - feat: Add event to select variant on product detail page (@aragon999)
- #3779 - NEXT-36924 - Add missing check for context object in request attributes for StoreApiSeoResolver (@mromeike)
- #3833 - NEXT-37557 - Update Bootstrap Docs Link (@levin192)
- #3836 - NEXT-37684 - Fix updating thumbnails in strict mode (@phizab)
- #5759 - NEXT-39897 - Backport the
getAssociatedDefinitionmethod of theEntityDefinitionQueryHelperfrom NEXT-34674 (@SpiGAndromeda) - NEXT-29637 - Allowed nulls in SystemConfigValidator for required values in child-configs