Yesterday we released SimpleCart 2.3.0-rc5. This release includes two security fixes and a bunch of bug fixes, as can be seen in the full changelog for this release below.
- [SECURITY] Fixed: Quotes in the product options break the options TV input and default output, resulting in two persisted XSS vulnerabilities [#17]
- Improved: Now defines FormIt as a dependency for MODX 2.4
- Fixed: Product options don’t accept integers for the added price [#21]
- Fixed: With some older hook-based gateways, it would sometimes show the errorFailed message and refuse to send email notifications even if the payment was successful. [S-5943]
- Fixed: Installing demo resources on a clean install doesn’t work [#14]
- Fixed: Incorrect placeholder in lexicon for payment method order description
- Fixed: Strip out port from the host when setting cookies
- Fixed: Make sure default_tax setting is created if it doesn’t exist
- Fixed: Make sure number of decimals is prefilled on currencies [S6375]
- Fixed: Issue with creating the simpleCartEmail table on certain environments [#24]
We’ll have a security notice explaining the two fixed vulnerabilities up within the next two weeks. In the mean time we encourage you to upgrade to SimpleCart 2.3.0-rc5 and to let us know if you run into any issues or bugs. We can be reached here on the forums, or via email@example.com.