CVE Identifier: CVE-2018-12579: An attacker is able to take over an access to user account.
Two days ago we published three releases, OXID eShop 6.0.1, 6.0.3 and 4.10.8/5.3.8. Please read this blog post for a summary of the changes.
OXID eShop 6.1.0 compilation contains two new modules (GDPR Opt-in + Klarna), monolog implementation, form field configuration, possibility to overwrite Smarty plugins with your own modules and is ready for the Personalization Option (EE). oxchkversion was removed from the admin panel.
This patch update contains bug fixes (incl. security issues 2018-002 as well as 2018-003), GUI changes have been done. Furthermore, the modules Klarna and GDPR Opt-in were added to the compilation. See details in this listing.
No GUI changes, no other bugs fixed but security issues 2018-002 and 2018-003, EoL release of OXID eShop series 4.10.
OXID eShop 6 introduced several improvements to the OXID eShop environment. These changes also have reached the module system, which leads to some new features for developers.
We’ve experienced requests concerning the “Right to data portability” (Art. 20 GDPR) on several channels. The legal text states someat like ” … receive the personal data … in a structured, commonly used and machine-readable format…”. As this is not a clear specification, provide an SQL script for reading out all relevant information from the database. Get the script from this blog post.
The behaviour of the PHP function __isset was changed with PHP version 7.0.6. OXID eShop makes use of this function __isset for lazy loading, and because of these changes lazy loading might behave unexpectedly in OXID eShop. Please read this blog post to avoid this unexpected behaviour in your projects and/or modules.
In order to improve the OXID eShop core code we are going to change some main principles of overwriting classes and methods when changing OXID eShop functionality with modules: methods may now be marked as private. This is not to cut away possibilities; there’ll be other means to catch up with what you want to achieve.
This patch update was extraordinarily pushed up to give you a proper time frame to establish the GDPR compliance with OXID eShop. Additionally, we started to introduce new principles of code writing in order to become more flexible, agile and innovative when changing the core. Anyway, this patch update contains bug fixes as well as loads of pull requests.
We recently released OXID eShop 6.0.2 including some changes in preparation of the upcoming European Data Protection Regulation (GDPR) that will be applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe.
CVE Identifier: CVE-2018-5763: An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).