THIS IS A SECURITY RELEASE AND PER PCI-DSS REQUIREMENTS YOU MUST UPGRADE WITHIN 30 DAYS
Miva Merchant 9.10.00 is now available
New Features
Browser Verification
User/Group Improvements
25202: Setup Script: Remove remove.mvc from distributions
26415: Module: customfields: Module: Custom Fields: Read_Product_ID/Code functions should support multi-text fields
26527: Module: customfields: Custom Fields: Add / edit product screen: Multi-text custom fields values are not saved between tab switches
26549: Core JSON: JSON_Image_Upload does not log successful uploads to the admin activity log
26550: Core JSON: JSON_ProductImage_Upload does not log successful uploads to the admin activity log
26551: Core JSON: JSON_Framework_Upload does not log successful uploads to the admin activity log
26552: Customers: Customers: Shipping / Billing Information screen is susceptible to stored cross site scripting
26553: Digital Downloads: Product: Digital Download Settings screen is susceptible to stored cross site scripting
26554: Administrative Interface: Forced Password Changes are not being logged in the admin activity log
26555: Module: stdschtasks: Module: Standard Scheduled Tasks: Add / edit scheduled task screen is susceptible to stored cross site scripting
26570: Customers: Customers: Address Add / Edit Dialog is susceptible to stored cross site scripting
26608: Administrative Interface: Upload of Digital Download files should check for the DDLS modify permission
26610: Digital Downloads: Digital Downloads: The upload button on the edit product screen should only show when the user has the DDLS modify privilege
26743: Module: ptbship: Editing a table to show a redundant ceiling does not display error
26744: Module: wtbship: Editing a table to show a redundant ceiling does not display error
26745: Module: canvat: Incorrect sorting on the Canadian VAT tab
26746: MMBatchList: MMBatchList: Record_Changed should take item as a parameter in order to determine the correct column
26779: Core JSON: JSON_ModuleList_Load_Query should not error when Module_Load_Features has no results
26878: Administrative Interface: License validation error screens have unencoded outputs
Miva Merchant 9.10.00 is now available
New Features
Browser Verification
- When logging in from a new device/browser, a verification code will be emailed to the user. The user must enter this code to authenticate the browser they are using.
- New default groups have been created to make things easier for users.
- Administrators and users with a developer license are now required to enable two-factor authentication. When logging in, if they do not have two-factor enabled, they will be directed to a new screen that forces them to enable two-factor authentication.
- Administrator users will have the option to reduce their privileges instead of enabling two-factor.
- Additional two-factor methods:
- YubiCloud
- WebAuthn/U2F support
- Backup tokens
User/Group Improvements
- Groups are now managed at the domain level instead of in each individual store.
- The Add Userdialog has been modified to make it easier to create non-administrator users.
- It is now (deliberately) more difficult to create an administrator user. Two-factor authentication must be enabled in order to give a user the administrator privilege.
- Removed the "create other users" privilege
- TOTP settings are now configurable only through provisioning
- Two-factor codes are now collected on a separate screen
- Domain-level two-factor enablement flag has been removed
- User email and cellphone fields have been added
- Output integrity and crossorigin attributes for all JavaScript in admin and many JavaScript files in clientside
25202: Setup Script: Remove remove.mvc from distributions
26415: Module: customfields: Module: Custom Fields: Read_Product_ID/Code functions should support multi-text fields
26527: Module: customfields: Custom Fields: Add / edit product screen: Multi-text custom fields values are not saved between tab switches
26549: Core JSON: JSON_Image_Upload does not log successful uploads to the admin activity log
26550: Core JSON: JSON_ProductImage_Upload does not log successful uploads to the admin activity log
26551: Core JSON: JSON_Framework_Upload does not log successful uploads to the admin activity log
26552: Customers: Customers: Shipping / Billing Information screen is susceptible to stored cross site scripting
26553: Digital Downloads: Product: Digital Download Settings screen is susceptible to stored cross site scripting
26554: Administrative Interface: Forced Password Changes are not being logged in the admin activity log
26555: Module: stdschtasks: Module: Standard Scheduled Tasks: Add / edit scheduled task screen is susceptible to stored cross site scripting
26570: Customers: Customers: Address Add / Edit Dialog is susceptible to stored cross site scripting
26608: Administrative Interface: Upload of Digital Download files should check for the DDLS modify permission
26610: Digital Downloads: Digital Downloads: The upload button on the edit product screen should only show when the user has the DDLS modify privilege
26743: Module: ptbship: Editing a table to show a redundant ceiling does not display error
26744: Module: wtbship: Editing a table to show a redundant ceiling does not display error
26745: Module: canvat: Incorrect sorting on the Canadian VAT tab
26746: MMBatchList: MMBatchList: Record_Changed should take item as a parameter in order to determine the correct column
26779: Core JSON: JSON_ModuleList_Load_Query should not error when Module_Load_Features has no results
26878: Administrative Interface: License validation error screens have unencoded outputs
Comment