PrestaShop v1.7.6.6

« Changelog History

PrestaShop v1.7.6.6 Release Notes

• 🛠 Main fixes

  🛠 Below are listed the 6 regressions that were found and fixed in this version:

  Front-office regression:

  • A BC break was mistakenly introduced in 1.7.6.5 on some selectors in the front-office #18509

  Back-office regressions:

  • 🌐 It was not possible to use Stocks page without the rights for Translation page #19713
  • Bad button color in Modules pages modal window #9699
  • No success message in Customer page after editing a voucher #18842

  Other regressions:

  • ⚡️ It was not possible to update currencies using the Webservice #18865
  • ⬆️ There was an error at the end of the upgrade if it was run manually #18723

  🔒 Security fixes

  🔒 7 security fixes have been included in this patch version:

  • 🔒 External control of configuration setting in the dashboard (security advisory)
  • 🔒 Improper access controls in Carrier page, Module Manager and Module Positions (security advisory)
  • 🔒 Improper authentication (security advisory)
  • 🔒 Reflected XSS in product page (security advisory)
  • 🔒 Stored XSS in AdminQuickAccesses (security advisory)
  • 🚀 Information disclosure in release archive (security advisory)
  • 🔒 Information exposure in upload directory (security advisory)

  ⚡️ More information about why it is important to update:

  • 🔧 External Control of System or Configuration Setting
  • Improper Access Control
  • Improper Authentication - Generic (CWE-287)
  • Cross-site Scripting (XSS)
  • Open Redirect (CWE-601)
  • Information Exposure Through Directory Listing (CWE-548)
  • Information Disclosure (CWE-200)

  Notable change

  In order to correctly handle user session expiration, two new SQL tables have been added to PrestaShop MySQL schema: ps_customer_session and ps_employee_session. These SQL tables are used for security purposes.

  💥 Breaking or risky changes

  🔒 Dashboard modules can no longer use AdminDashboardController::ajaxProcessSaveDashConfig() to save values. This is not possible anymore in PrestaShop 1.7.6.6 in order to enforce the shop's security.

  A bug fix included in 1.7.6.5 required changing a CSS selector in the Front Office's product page and rendering it more specific. However, this new selector did not work with some third party themes which were based on Classic.
  In 1.7.6.6, a new generic selector has been added: .product-container. If you are a theme developer, make sure to add this class to the appropriate container on your product page in order to allow your product page to be refreshed on changes.

  Full Changelog

  • Back Office:
    • Bug fix:
    • #19814: Change buttons in modal bulk of module page to avoid black color (by @NeOMakinG)
    • #18975: BO - Customer View page - Added Green alert when editing a voucher (by @Progi1984)
    • #19942: Cast changelogs to array for twig - Backport of #19778 (by @atomiix)
    • #19718: Remove i18n access restrictions (by @PierreRambaud)
    • #19990: Fix BO page Module permission checks (by @jolelievre)
  • Front Office:
    • Improvement:
    • #19800: Add a new selector in order to select the product page more precisely (by @NeOMakinG)
  • Core:
    • Improvement:
    • #19943: Update Composer dependencies and prestashop module versions (by @PierreRambaud)
    • #19980: Update version number to 1.7.6.6 (by @matks)
    • #19979: Update outdated assets in 176x (by @matks)
    • #19984: Update license headers for PS 1.7.6.6 (by @matks)
    • Bug fix:
    • #19010: Added missing required_once for Datas class (by @atomiix)
    • #19986: Fix php7-only code into 1766 (by @matks)
    • #20018: Remove COLLATION placeholder from 1.7.6.6.sql (by @matks)
    • #GHSA-mc98-xjm3-c4fm - External control of configuration setting in the dashboard (by @PierreRambaud)
    • #GHSA-997j-f42g-x57c - Information exposure in upload directory (by @PierreRambaud)
    • #GHSA-492w-2pp5-xhvg - Information disclosure in release archive (by @PierreRambaud)
    • #GHSA-ccvh-jh5x-mpg4 - Improper authentication (by @PierreRambaud)
    • #GHSA-xp3x-3h8q-c386 - Improper access controls in Carrier page, Module Manager and Module Positions (by @PierreRambaud)
    • #GHSA-qgh4-95j7-p3vj - Reflected XSS in product page (by @PierreRambaud)
    • #GHSA-v4pg-q2cv-f7x4 - Stored XSS in AdminQuickAccesses (by @PierreRambaud)
  • 🌐 Web Services:
    • Bug fix:
    • #18969: Make api backward compatible for Currencies (by @atomiix)

• All Versions
• Previous v1.7.6.5
• Next v1.7.6.7
• Latest Version