Miva Merchant 9.10.00 Release Notes
Posted by Wayne Smith on 10 July 2018 11:05 AM
|
|
THIS IS A SECURITY RELEASE AND PER PCI-DSS REQUIREMENTS YOU MUST UPGRADE WITHIN 30 DAYS
New Features
Browser Verification • When logging in from a new device/browser, a verification code will be emailed to the user. The user must enter this code to authenticate the browser they are using.
Default Groups • New default groups have been created to make things easier for users.
Two-Factor Authentication • Administrators and users with a developer license are now required to enable two-factor authentication. When logging in, if they do not have two-factor enabled, they will be directed to a new screen that forces them to enable two-factor authentication. • Administrator users will have the option to reduce their privileges instead of enabling two-factor. • Additional two-factor methods: • YubiCloud • WebAuthn/U2F support • Backup tokens
Other Changes User/Group Improvements • Groups are now managed at the domain level instead of in each individual store. • The Add Userdialog has been modified to make it easier to create non-administrator users. • It is now (deliberately) more difficult to create an administrator user. Two-factor authentication must be enabled in order to give a user the administrator privilege. • Removed the "create other users" privilege
Time-based One-time Password • TOTP settings are now configurable only through provisioning • Two-factor codes are now collected on a separate screen • Domain-level two-factor enablement flag has been removed • User email and cellphone fields have been added
Subresource Integrity • Output integrity and crossorigin attributes for all JavaScript in admin and many JavaScript files in clientside
Bugs Fixed 25202: Setup Script: Remove remove.mvc from distributions 26415: Module: customfields: Module: Custom Fields: Read_Product_ID/Code functions should support multi-text fields 26527: Module: customfields: Custom Fields: Add / edit product screen: Multi-text custom fields values are not saved between tab switches 26549: Core JSON: JSON_Image_Upload does not log successful uploads to the admin activity log 26550: Core JSON: JSON_ProductImage_Upload does not log successful uploads to the admin activity log 26551: Core JSON: JSON_Framework_Upload does not log successful uploads to the admin activity log 26552: Customers: Customers: Shipping / Billing Information screen is susceptible to stored cross site scripting 26553: Digital Downloads: Product: Digital Download Settings screen is susceptible to stored cross site scripting 26554: Administrative Interface: Forced Password Changes are not being logged in the admin activity log 26555: Module: stdschtasks: Module: Standard Scheduled Tasks: Add / edit scheduled task screen is susceptible to stored cross site scripting 26570: Customers: Customers: Address Add / Edit Dialog is susceptible to stored cross site scripting 26608: Administrative Interface: Upload of Digital Download files should check for the DDLS modify permission 26610: Digital Downloads: Digital Downloads: The upload button on the edit product screen should only show when the user has the DDLS modify privilege 26743: Module: ptbship: Editing a table to show a redundant ceiling does not display error 26744: Module: wtbship: Editing a table to show a redundant ceiling does not display error 26745: Module: canvat: Incorrect sorting on the Canadian VAT tab 26746: MMBatchList: MMBatchList: Record_Changed should take item as a parameter in order to determine the correct column 26779: Core JSON: JSON_ModuleList_Load_Query should not error when Module_Load_Features has no results 26878: Administrative Interface: License validation error screens have unencoded outputs
Docs Two Factor Authentication - https://docs.miva.com/how-to-guides/two-factor-authentication Browser Verification - https://docs.miva.com/how-to-guides/browser-verification User Groups - https://docs.miva.com/how-to-guides/user-groups
| |
|