THIS IS A SECURITY RELEASE AND PER PCI-DSS REQUIREMENTS YOU MUST UPGRADE WITHIN 30 DAYS

New Features

Browser Verification

• When logging in from a new device/browser, a verification code will be emailed to the user. The user must enter this code to authenticate the browser they are using.

Default Groups

• New default groups have been created to make things easier for users.

Two-Factor Authentication

• Administrators and users with a developer license are now required to enable two-factor authentication. When logging in, if they do not have two-factor enabled, they will be directed to a new screen that forces them to enable two-factor authentication.

• Administrator users will have the option to reduce their privileges instead of enabling two-factor.

• Additional two-factor methods:

• YubiCloud

• WebAuthn/U2F support

• Backup tokens

Other Changes

User/Group Improvements

• Groups are now managed at the domain level instead of in each individual store.

• The Add Userdialog has been modified to make it easier to create non-administrator users.

• It is now (deliberately) more difficult to create an administrator user. Two-factor authentication must be enabled in order to give a user the administrator privilege.

• Removed the "create other users" privilege

Time-based One-time Password

• TOTP settings are now configurable only through provisioning

• Two-factor codes are now collected on a separate screen

• Domain-level two-factor enablement flag has been removed • User email and cellphone fields have been added

Subresource Integrity

• Output integrity and crossorigin attributes for all JavaScript in admin and many JavaScript files in clientside

Bugs Fixed

25202: Setup Script: Remove remove.mvc from distributions

26415: Module: customfields: Module: Custom Fields: Read_Product_ID/Code functions should support multi-text fields

26527: Module: customfields: Custom Fields: Add / edit product screen: Multi-text custom fields values are not saved between tab switches

26549: Core JSON: JSON_Image_Upload does not log successful uploads to the admin activity log

26550: Core JSON: JSON_ProductImage_Upload does not log successful uploads to the admin activity log

26551: Core JSON: JSON_Framework_Upload does not log successful uploads to the admin activity log

26552: Customers: Customers: Shipping / Billing Information screen is susceptible to stored cross site scripting

26553: Digital Downloads: Product: Digital Download Settings screen is susceptible to stored cross site scripting

26554: Administrative Interface: Forced Password Changes are not being logged in the admin activity log

26555: Module: stdschtasks: Module: Standard Scheduled Tasks: Add / edit scheduled task screen is susceptible to stored cross site scripting

26570: Customers: Customers: Address Add / Edit Dialog is susceptible to stored cross site scripting

26608: Administrative Interface: Upload of Digital Download files should check for the DDLS modify permission

26610: Digital Downloads: Digital Downloads: The upload button on the edit product screen should only show when the user has the DDLS modify privilege

26743: Module: ptbship: Editing a table to show a redundant ceiling does not display error

26744: Module: wtbship: Editing a table to show a redundant ceiling does not display error

26745: Module: canvat: Incorrect sorting on the Canadian VAT tab

26746: MMBatchList: MMBatchList: Record_Changed should take item as a parameter in order to determine the correct column

26779: Core JSON: JSON_ModuleList_Load_Query should not error when Module_Load_Features has no results

26878: Administrative Interface: License validation error screens have unencoded outputs

Docs

Two Factor Authentication - https://docs.miva.com/how-to-guides/two-factor-authentication

Browser Verification - https://docs.miva.com/how-to-guides/browser-verification

User Groups - https://docs.miva.com/how-to-guides/user-groups