Al Brookbanks Posted August 6 Posted August 6 We are pleased to announce the release of 6.5.6. This version contains an important security patch to prevent SQL injection but also contains a number of new features. Many thanks goes to Tim for disclosing this vulnerability responsibly. Upgrade is strongly recommended as this vulnerability exists in all versions up to and including 6.5.5. All official CubeCart Hosted stores have all been proactively patched at their current version and are not vulnerable to this security issue. What's New? Issue Description #3622 Security: Password reset SQL injection vulnerability & misc. improvements. #3591 Store credit: Allows customers to use a stored amount of credit. Requires skin changes if Foundation skin isn't used. #3620 Elasticsearch: Feature to only index items that are in stock. #3605 Default Gravatar changed to person silhouette. #3603 Customer group discount by category. #3599 Foundation skin to have styles related products on checkout. #3595 Anonymous reviews for unauthenticated customers. Can I patch store manually without upgrading? This can be done by updating one line of code. Open classes/admin.class.php. Find: public function passwordRequest($username, $email) { Replace with: public function passwordRequest($username, $email) { $username = preg_replace('/[^a-z0-9.@_\-\+]/i', '', $username); Download: CubeCart-6.5.6.zip
Recommended Posts