займ на картукредит онлайн

Updates Posts

Major April Updates!

A pack of crucial updates for the most promising Magento 2 extensions!

 

We say goodbye to April – a month marked with our hard work – and greet the new beginning full of powerful solutions and advanced enhancements for your Magento 2 store!
Considered all the relevant customer requests, we’ve come up with improvements that will benefit the e-commerce business of any scale. Explore the automation-targeted backend options to manage processes efficiently, provide the increased user-friendliness in the frontend to engage customers into every service – from a tempting loyalty program to detailed product subscriptions.
Start May with upgrading your store!

April updates Magento 2

Magento 2 Blog 2.5.0
– Related Posts;
– Thumbnails for Recent Posts and Blog Posts;
– GraphQL;
– PageBuilder support;
– RSS;
– Speed improvements;
– Bug fixes.

Magento 2 Shop by Brand 1.2.0
– Split database support;
– Data migration tool from M1 to M2;
– Brand URL display based on the backend brand settings;
– Page Builder support;
– Bug fixes.

Magento 2 Reward Points 1.6.0
– Option for admin to apply points in the backend;
– Integration with Advanced Reviews 1.1.0.

Magento 2 Advanced Subscription Products 2.1.0
PayPal button on a product page
– Paypal support via Braintree
– Bug fixes

Magento 2 Advanced Reviews 1.1.0
– A separate page with all reviews on the site;
– Image support;
– Customer comments;
– Comment Auto-approval;
– Review Auto-approval;
– Abuse report;
– Anti-spam protection;
– Review widget;
– Filter options: with images, only by rating, from verified buyers only;
– Improved helpfulness voting behavior;
– Email address for alerts about negative reviews;
– Integration with Reward Points 1.6.0;
– Minor UI fixes.

 

MAGENTO SECURITY PATCH SUPEE-11086 RELEASED

SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.

List of High CVSSv3 Severity Issues Addressed by this Security Patch

    • SQL Injection vulnerability through an unauthenticated user:
      An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
    • Remote code execution via server side request forgery:
      An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration.
    • Arbitrary code execution due to unsafe handling of a malicious product attribute configuration
      An authenticated user with privileges to configure products can execute arbitrary PHP code.
    • Arbitrary code execution due to unsafe deserialization of a PHP archive
      An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
    • Arbitrary code execution due to unsafe handling of a malicious layout update
      An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code.
    • Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes
      An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server.
    • Remote code execution through arbitrary XML data sent through a layout table:
      An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table.
    • Arbitrary code execution through bypass of PHP file upload restriction:
      An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code.
    • Arbitary code execution due to bypass of layout validator:
      An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin.

&nbps;

Consult our certified Magento developers, if you want to implment this security patch or have any questions regarding the Magento security SUPEE-11086 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10975 RELEASED

SUPEE-10975, Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-10975 or upgrade to Magento Commerce 1.14.4.0.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-10975 or upgrade to Magento Open Source 1.9.4.0.

 
There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:

Issue Type: Brute Force Login / Session Identifier

CVSSv3 Severity

Security Bug

Description

9.0

Stops Brute Force Requests via basic RSS authentication

Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password.

 

Issue Type: Compliance Requirement

9.0

M1 Credit Card Storage Capability

Removes functionality enabling M1 customers to store credit card data in the database.

 

Issue Type: Remote Code Execution (RCE)

8.5

Authenticated RCE using customer import

Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute.

8.5

API Based RCE Vulnerability

By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE

8.5

RCE Via Unauthorized Upload

Prevents a user from uploading unauthorized files while attaching videos

8.5

Authenticated RCE using dataflow

Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10975 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10888 RELEASED

SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.
  • Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.

 
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: XML injection

CVSSv3 Severity

Security Bug

Description

6.9

Authenticated Unauthorised Data Access Via Layout Injection

An administrator with limited permissions might be able to obtain information outside of his permissions.

 

Issue Type: General: Cross Site Scripting (reflective)

6.1

Reflective XSS against Admin Panel

Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.

6.1

Admin to Admin XSS in configurable custom attribute label

Administrator with limited permissions might be able to use XSS attack on another administrator.

 

Issue Type: Privilege Escalation & Enumeration: Information Exposure

5.9

Overwrite all Reviews

In specific configurations, it might be possible to overwrite reviews.

N/A

Reset password URL includes the customer ID

The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10752 RELEASED

SUPEE-10752, Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.

NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
  • Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

 
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

CVSSv3 Severity

Security Bug

Description

9.8 (Critical)

Authenticated Remote Code Execution (RCE) using custom layout XML

Admin users with permission to manage products can use custom layout XML to copy any file to any location.

9.8 (Critical)

Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)

Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized.

8.9 (High)

PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)

An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

8.9 (High)

PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)

An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

 

Issue Type: SQL Injection (SQLi)

8.2 (High)

Authenticated SQL Injection when saving a category

Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.

8.2(High)

Admin to Admin XSS in configurable custom attribute label

By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands.

 

Issue Type: Cross Site Request Forgery (CSRF)

7.4 (High)

CSRF is possible against Web sites, Stores, and Store Views

Multiple CSRF vulnerabilities allow for deleting websites, stores or store views.

 

Issue Type: Security Implementation Flaw

7.4 (High)

The cron.php file can leak database credentials

The cron.php file can leak database credentials if it is not able to establish a connection to the database.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.

RMA 1.3 by Aheadworks: Backend Request Creation, Canned Responses, and Return Management Improvements

The return process is quite complicated as soon as it involves a lot of steps, conditions, status changes, and constant communications between merchants and customers.

RMA 1.3 by Aheadworks: Backend Request Creation, Canned Responses, and Return Management Improvements

The main purpose of any business is to simplify and clarify the whole RMA workflow and make it less time-consuming.

Any considerable or even small improvements can serve the final goal, where each positive amendment (even the slight one) brings you closer to the smooth and fluid procedure reasonably arranged for both sides.

Today, we are glad to announce that the new version of the RMA extension introduces a lot of process improvements able to make your return management hassle-free.

RMA 1.3 for Magento 2

New RMA Requests Created from the Backend

The biggest benefit of this update is that now, Magento admins are able to initiate and create RMA requests right from the backend. This opportunity is especially valuable if you regularly receive return requests offline.

For this purpose, enter the Manage RMA page (Sales > RMA by Aheadworks > Manage RMA) and click the New Request button. This will open the New request page with the following sections: General Information, Products, Customer Information, and RMA History.

Follow Up Email 2.1 by Aheadworks Brings New Trigger Events and Functionality Improvements

Sending automated follow-up emails is a must-have functionality, especially if your customer base is rich.

Follow Up Email 2.1 by Aheadworks Brings New Trigger Events and Functionality Improvements

The more sending options and conditions you have, the better the response rate of your emails and stronger the customer loyalty to your brand are.

You may enumerate a lot of occasions to send emails to customers, but it will definitely include customer birthdays, submitted reviews, and created wishlists.

In fact, these are the new events we’ve just added to the Follow Up Email extension with this latest release. Please welcome Follow Up Email 2.1 for Magento 2!

New Events

New Wishlists and Wishlist Content Changes

Creating wishlists is the process that needs careful consideration and feedback from your side. The customers adding products to their wishlists are a half way from actual purchases, and they just need to be pushed a little more to complete their orders.

That’s exactly the incentive provided by the latest version of the Follow Up Email extension. In this case, the module automatically reminds customers about their wishlists if the ones meet some predefined and flexible triggering conditions.

Blog 2.4 Adds New Social Sharing Options and Brings Enhancements to Blog Management

Using a blog powered by Magento is beneficial in any case and especially great if you have a chance to add relevant posts to product pages.

Blog 2.4 Adds Social Sharing Options and Brings Enhancements to Blog Management

All these and above are the functionality provided by the previous version of our Blog extension for Magento 2. Today, we announce a new version of the extension that has a lot of new valuable functions on board.

Blog 2.4 Features

Social Media Sharing Options

Sharing official blog posts in social media is quite popular among customers and visitors and may be considered as a public approval of your content strategy. Still, if the shared content is indistinct and unattractive, visitors may neglect the provided option.

So, in order to avoid such a negative influence, the latest version of the extension supports the Open Graph and Twitter Cards markups.

FAQ 1.1: Question Submission Forms on FAQ Article Pages

Each Magento store owner has a lot to tell customers, and customers have even more to ask.

FAQ 1.1: Question Submission Forms on FAQ Article Pages

That’s really the situation when you can take advantage of the FAQ extension for Magento 2 to the fullest. So, since we clearly understand that many people are in dire need of this functionality, we continue improving this extension regularly and have just recently released a new version of the module.

Below are presented the main features of FAQ 1.1 for Magento 2.

New Functionality

Ask Questions on Article Pages

This function is another step towards close communication with customers and a great opportunity to simplify the whole process of submitting questions.

From now on, customers are able to ask questions directly on article pages. A visitor has to fill three fields: name, email, and question. As soon as the question is submitted, a store admin will receive a email notification (if the corresponding option is enabled in the extension’s settings).

Layered Navigation 1.8 Adds a Horizontal Filter Bar on Category Pages

The possibility to adjust the layered navigation bar to the layout and design of a web store’s category pages is able to improve overall usability and the convenience of catalog navigation for customers.

Layered Navigation 1.8 Adds a Horizontal Filter Bar on Category Pages

The latest Layered Navigation 1.8 extension for Magento 2 adds this very feature that has been long awaited by online merchants – horizontal filter bar.

Horizontal Filter Bar on Category Pages

The ability to use horizontal filter bars is undoubtedly beneficial for small business owners whose stores has the one-column layout on category pages. This way, shoppers get a great opportunity to smoothly navigate through the store catalog.

Horizontal Filter Bar Provided by Layered Navigation 1.8

Horizontal Filter Bar Provided by Layered Navigation 1.8

MAGENTO SECURITY PATCH SUPEE-10570 RELEASED

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.

NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10570 or upgrade to Magento Commerce 1.14.3.8
  • Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10570 or upgrade to Magento Open Source 1.9.3.8

 
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

CVSSv3 Severity

Security Bug

Description

9.8 (High)

Remote Code Execution Using XML Injection

An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution.

9.8 (Critical)

Remote Code Execution – additional fix not included in SUPEE-9652

A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE).

8.9 (High)

Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import.

An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE).

7.2 (High)

Remote Code Execution in Staging Environment

An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution.

 

Issue Type: Cross-Site Request Forgery (CSRF)

6.4 (Medium)

Cross-Site Request Forgery in Store Backups

An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.

 

Issue Type: Cross-site Scripting (XSS) – stored

5.0(Medium)

Cross-site Scripting in CMS hierarchy

An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.

5.0(Medium)

Cross-site Scripting in Custom Variables

An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10570 patch, please contact our support team.

Shop by Brand 1.1 Manages Products on Brand Pages

The advantages of branding are undeniable as soon as brand names allow you to improve product recognition, build loyalty, consolidate product position on the market, and make new product launches successful.

Shop by Brand 1.1 Manages Products on Brand Pages

In order to present brands properly in their stores, Magento store owners can successfully use the Shop by Brand extension for Magento 2, especially that it was updated and improved just recently.

As soon as brand pages presenting products are the central elements of any brand strategy, the latest Shop by Brand 1.1 improves the possibilities to manage and sort products on that pages significantly.

Shop by Brand 1.1 New Features

Manage Products on Brand Pages

From now on, Magento admins are able to add products to brand pages easily from the Edit Brand section in the backend.

In order to enter the grid please follow Catalog -> Shop by Brand by Aheadworks -> Brand Pages -> Particular brand -> Brand products grid. The grid enumerates all available products and allows adding any of them to a particular brand page in just one click.

Advanced Reports 2.6 Introduces a Brand-New Reports Dashboard

Any online business, even a small or starting one, needs to deal with a huge amount of information, but staring and seeing, are two completely different things.

Advanced Reports 2.6 Introduces a Brand-New Reports Dashboard

The data a merchant has as a result of its daily sales and other activities are so abundant that they need not only to be collected properly, but also arranged in the way, which would allow merchants to correctly interpret they, discover valuable insights, and make efficient decisions.

Advanced Reports 2.6 Functionality

Today, we’d like to present you our new enhanced Advanced Reports extension for Magento 2 stores, which pays a great deal of attention to the reports usability, clarity, and meaning. Still, the latest Advanced Reports 2.6 has even more to offer, and the major feature of it is the new reports Dashboard.

Advanced Reports Dashboard

The dashboard has 10 widgets in total, including 8 numerical widgets and 2 charts. A Magento admin can easily change their content according to their business needs and display any of the provided by the extension reports there. The drop-down changing the content is located in the top right corner of each widget.

Product Questions 1.1 Provides a Seamless Migration of Questions and Answers to Magento 2

The more ex-Magento 1 merchants opt for Magento 2, the more often they need some migration solutions able to make their move simple and sound.

Product Questions 1.1 Allows you to Migrate Questions and Aswers to Magento 2 Seamlessly
As soon as we also regularly receive similar requests regarding our extensions we provide our customers with more and more migration solutions allowing them to move the data they need much faster and with no breaches.

Questions Migration Tool by Product Questions 1.1

The Product Questions extension for Magento 2

Today we’d like to introduce you Product Questions 1.1 for Magento 2, which covers exactly the above issue with the included migration tool. The tool allows you to transfer questions, answers, and particular statistics created by the preceding Product Questions extension for M1 to your brand-new Magento 2 store.

In more detail, the process is described in the extension’s technical documentation.

The module is good and ready to be purchased and updated. Please visit the product page or try it in action on our demos.

Layered Navigation 1.7: Fine-tune Your Product Filters

The process of filtering products is one the shortest ways to the desired products and the quality of the layered navigation filters may significantly influence the entire journey and final result of the browsing in your online store.

Layered Navigation 1.7: Fine Tune Your Product Filters

If your customers are able to quickly and conveniently find the products they need, you have much better chances to witness multiple completed orders in your store. Layered Navigation is one of our first Magento 2 extensions and has already passed through multiple updates and functionality enhancements. Here comes one more functionality improvement with Layered Navigation 1.7.

So, we have to offer you some really valuable new features you will hopefully like.

Layered Navigation 1.7

Manage Filters Page

The most significant enhancements that determined greatly the entire course of the current update is the Manage Filters section added to the backend configuration scope. Available in the following way Catalog -> Layered Navigation by Aheadworks -> Manage Filters, it enumerates all the available either Magento native or added by the extension navigation filters.