Payment Module Changes
The Authorize.Net module now displays customer and order information when processing refunds.
Shipping Module Changes
UPS Registration Changes
- Test mode credentials do not work in Production mode (this is the original behavior). Credentials created in Test mode will not function after switching to Production mode, even when the module is in Test mode. New behavior:
- The UPS Registration Wizard now issues a warning when you register in Test mode.
- The UPS module itself issues a warning when switching from Test mode to Production mode.
NEW MODULE: FedEx Web Services
- Provides rates and labels for the following FedEx shipping methods:
- Domestic Ground
- Domestic Express (1Day®, 2Day®, etc.)
- Domestic Freight
- SmartPost® (domestic US only)
- International Ground
- International Priority
- International Freight
- Supports alcohol shipments
- Supports packages containing dry ice
- 'FedEx Close Service' link under "Utilities":
- Allows the merchant to generate required Ground manifests and perform SmartPost® end-of-day operations
NEW MODULE: Endicia Shipping Labels
- For a monthly fee (payable to Endicia), Endicia provides a service with the following features:
- Generates prepaid shipping labels for USPS shipping methods
- Supports domestic and international shipping
- 'Endicia Account Activity' link under "Utilities":
- Shows all label activity performed within the given store
Label VOID Feature
- When viewing shipping labels, the user now has the ability to VOID all of the labels for a shipment.
- VOID is supported by:
- UPS Ready® Tools
- FedEx Web Services
- Endicia Shipping Labels
- VOID invalidates the label. If the user was pre-charged for the label (via Endicia, for example), their account is credited for the amount of the VOIDed label(s).
- When shipping multiple packages within a single shipment, FedEx and Endicia generate labels one at a time and are subject to partial label generation. When this occurs, the user is informed that they must VOID any labels that were generated for the shipment prior to the error. Selecting the VOID option voids all the labels in the shipment. UPS generates all the labels at once and is not subject to partial label generation.
The left navigation frame in the Administrative Interface can now be resized in all browsers.
The following changes were made to clientside.mvc to improve performance and reduce errors:
- URLs now specify a long cache interval (30 days) to reduce the frequency of hits.
- Cancelled and returned items can now be deleted from an order.
- Cancelled items are returned to inventory when they are originally marked as cancelled. Therefore, deleting a cancelled item does not restock it.
- Returned items are never returned to inventory (either when the return is received or when the item is deleted) because returned items usually require manual inspection before being returned to stock for sale.
- The Receive Returns dialog box now contains a link that allows a user to cancel a return.
- When a return is cancelled, the items it contains are reset to the "Shipped" state with their previous tracking information.
NEW MODULE: Token List
- Displays the StoreMorph tokens available on a page.
- Shows which templates use a given StoreMorph token (useful when searching for XSS issues identified by a PCI scan).
- When a token is in use on the page, the 'View Variable on Live Page' link displays the page with every use of the token highlighted.
- The 'View All Tokens' function displays the page. As the user mouses over an in-use token, a tool tip is displayed with the name of the token.
- When the page displays specific product or category information, the module provides an edit field where the user can specify which product information to display in 'View All Tokens' or 'View Variable on Live Page' mode.
- The module uses the current user's runtime session. This allows the user to view the tokens for complex runtime situations (e.g., availability/price groups, complicated basket contents, etc.) by simply setting up the scenario in the runtime interface.
- On the OPAY page, the module presents a drop-down list of payment methods. This allows the user to view the tokens and specific display of each payment method on the actual store page.
- When the page displays order information, the module provides an edit field where the user can specify which order data to display.
- 5892: When an Item is marked as Returned, there's no way to Delete it from the Order
- 6474: Need to be able to cancel an RMA
- 6568: Password change screen can be bypassed
- 6624: Authorize.net Refunds
- 6671: Packaging rules, boxes, edit box, no validation error when entering dimensions with more then two digits behind the decimal.
- 6680: Attribute template, fatal error when adding an attribute template to a product in mysql strict mode.
- 6683: Provisioning, statetax, unable to configure state based sales tax with provisioning in a store using mysql strict
- 6684: SQL error when searching for "|\" from the Manage Shipments screen
- 6685: Runtime customer login fields need to have autocomplete disabled (in addition to the form)
- 6686: Cmp-cssui-prodlist.mvc: Product List layout, when in expanded mode, inventory message always displays as long.
- 6689: cmp-cssui-prodlist.mv: Missing space after the colon for the display of custom field prompts and values
- 6692: cmp-cssui-breadcrumbs.mv: Breadcrumbs will show category AND product as the current item if prod code and cat code are the same
- 6693: Order tabs disappear when viewing orders in IE.
- 6694: cmp-cssui-cattree.mv: SkinsComponentModule_Export_Item doesn't send custom fields
- 6695: cmp-mmui-cattree.mv: SkinsComponentModule_Export_Item doesn't send custom fields
- 6701: Attribute Machine shows attribute cost in page source
- 6702: CSSUI category_listing product:link token always includes the category
- 6703: Generate shipping label, packaging dropdown overrun when using large box names.
- 6704: Manage shipments, the selected shipping methods are not being displayed for new shipping modules, (upsxml, mvfedexsoap)
- 6707: shp_ut.mv: ProductShippingRules_BuildProductIDArray fails if product id is not a positive number
- 6713: cmp-mv-imagemachine requires a hit to json.mvc to load an initially selected variant's images
- 6714: upsxml: Module should warn and force reregistration on production/test mode change
- 6715: Package dimension and weight fields with trailing spaces generate validation errors
- 6719: cmp-mmui-basket: Shipping/Handling/Sales Tax checkboxes are wiped out by pressing update on a different tab
- 6720: cmp-cssui-basket: Shipping/Handling/Sales Tax checkboxes are wiped out by pressing update on a different tab
- 6730: UPS Ready Tools has no Product Delete function
- 6731: templateorderemails: Module should display an error and not attempt to send an email when there is no From or To address
- 6735: Error/slow performance when runtime viewing a product with many inventory attributes in mivasql
- 6736: Requested function: ProductVariantPricing_Update
- 6737: Admin Content Frame is not resizeable in chrome webkit.
- 6739: Duplicate order options/partially created orders when a tax or fulfillment module fails with a fatal error
- 6740: cmp-cssui-custfields: Toggle details causes validation error when fields are added to only billing or only shipping
- 6742: Manage shipments, view shipping label, unable to view shipping labels if the store is configured to use CGI URLs
- 6746: Typo in upgrade error message
- 6748: AttributeMachine.js: swatches are being assigned with new
- 6752: Item Extension create/delete are not logged in the admin activity log
- 6754: Admin: Products: Search field cannot find products while Canonical Category Code or Alternate Display Page boxes are checked.
- 6758: Table sNN_BasketInfo is not dropped when deleting a store
- 6769: Admin/nav.mv: Screen_NotesNavigation - returns 404 Not Found errors for image links "maintainable_*.gif"
- 6770: Authorize.net: admin_cvv field fails to update in MySQL strict mode
- 6771: Affiliate Program: unable to create an affiliate via runtime in MySQL strict mode
- 6780: Paypalpro: fatal error when deselecting "Require CVV2 in Admin" in MySQL strict mode
- 6784: Shipping rules: missing validation error message when setting Priority larger than 10 digits
- 6785: Shipping rules: when using IE7 shipping rules dialog boxes extend all the way to the right.
- 6793: Manage shipments, shipping methods are not encoded correctly.
- 6794: prodexp: Module generates invalid Provisioning XML when products have no alternate display page configured
- 6795: Provisioning, Product_Update does not handle Canonical Category, and alternate display page correctly.
- 6800: BestSellerList_Load_Offset has no ORDER BY and does not properly handle its "max_rec" parameter
- 6801: AttributeTemplateList_Load_Offset does not use ORDER BY
- 6802: cmp-cssui-breadcrumbs.mv: If viewing page PROD and no product is specified, blank space will be between home >> and Product Display
- 6811: Domain Settings: No validation is performed on the store selection UI module
- 6823: cmp-cssui-breadcrumbs.mv: MvIF expression should be checking for NOT ISNULL l.item:code instead of just l.item:code in function ComponentModule_Initialize
- 6827: DrawButtons_NextPrevious: XSS on g.Message, g.ImportMessage, and g.FW_WarningMessage
- 6828: Draw_ProgressBar: Possible XSS on unvalidated cycle_count and cycle_total_count parameters
- 6829: cmp-cssui-cattree: Custom field provisioning does not validate child tag names
- 6830: cmp-mmui-cattree: Custom field provisioning does not validate child tag names
- 6833: cmp-cssui-prodlist: tag is not output when saving a framework
- 6842: Admin: Various module type-specific Screen and Action functions do not validate that parameter Module_Code is a module with the appropriate features
- 6843: Report JSON functions do not validate report module features when a valid report is specified
- 6846: Password change and license accept cannot be aborted
- 6851: Add Affiliate Wizard is not visible in the Left Navigation menu
- 6852: aawizard: XSS on g.Wizard_Affiliate_StateSelect and g.Message
- 6853: atwizard: XSS on g.Message and g.AttributeWizard_Attribute_Image
- 6854: cawizard: XSS on g.Message
- 6855: pawizard: XSS on g.Message
- 6856: submitsu: XSS on multiple fields
- 6859: Save Framework: XSS on g.Error_Field_Message
- 6860: Manage Orders: Manually edited text attributes sometimes get stored in opt_code instead of data or data_long
- 6863: Legacy callers of Page_Insert receive errors on MySQL in strict mode
- 6864: cmp-cssui-breadcrumbs.mv: If product code is 0, page PROD will display the current item as Product List in the breadcrumbs.
- 6871: cmp-cssui-prodlist: Framework export generates invalid provisioning code in some cases
- 6885: remove.mvc: autocomplete enabled for login/password
- 6886: Admin login form does not have autocomplete="off" on input fields
- 6888: setup: Multiple XSS
- 6889: setup: Username and password fields with autocomplete enabled
- 6890: setup does not specify a character set and is vulnerable to UTF-7 XSS
- 6891: remove.mvc does not specify a character set and is vulnerable to UTF-7 XSS
- 6902: remove: XSS after authentication