Miva Merchant 9.10.00 is now available
Posted by Wayne Smith on 10 July 2018 11:03 AM
THIS IS A SECURITY RELEASE AND PER PCI-DSS REQUIREMENTS YOU MUST UPGRADE WITHIN 30 DAYS
• When logging in from a new device/browser, a verification code will be emailed to the user. The user must enter this code to authenticate the browser they are using.
• New default groups have been created to make things easier for users.
• Administrators and users with a developer license are now required to enable two-factor authentication. When logging in, if they do not have two-factor enabled, they will be directed to a new screen that forces them to enable two-factor authentication.
• Administrator users will have the option to reduce their privileges instead of enabling two-factor.
• Additional two-factor methods:
• WebAuthn/U2F support
• Backup tokens
• Groups are now managed at the domain level instead of in each individual store.
• The Add Userdialog has been modified to make it easier to create non-administrator users.
• It is now (deliberately) more difficult to create an administrator user. Two-factor authentication must be enabled in order to give a user the administrator privilege.
• Removed the "create other users" privilege
Time-based One-time Password
• TOTP settings are now configurable only through provisioning
• Two-factor codes are now collected on a separate screen
• Domain-level two-factor enablement flag has been removed • User email and cellphone fields have been added
25202: Setup Script: Remove remove.mvc from distributions
26415: Module: customfields: Module: Custom Fields: Read_Product_ID/Code functions should support multi-text fields
26527: Module: customfields: Custom Fields: Add / edit product screen: Multi-text custom fields values are not saved between tab switches
26549: Core JSON: JSON_Image_Upload does not log successful uploads to the admin activity log
26550: Core JSON: JSON_ProductImage_Upload does not log successful uploads to the admin activity log
26551: Core JSON: JSON_Framework_Upload does not log successful uploads to the admin activity log
26552: Customers: Customers: Shipping / Billing Information screen is susceptible to stored cross site scripting
26553: Digital Downloads: Product: Digital Download Settings screen is susceptible to stored cross site scripting
26554: Administrative Interface: Forced Password Changes are not being logged in the admin activity log
26555: Module: stdschtasks: Module: Standard Scheduled Tasks: Add / edit scheduled task screen is susceptible to stored cross site scripting
26570: Customers: Customers: Address Add / Edit Dialog is susceptible to stored cross site scripting
26608: Administrative Interface: Upload of Digital Download files should check for the DDLS modify permission
26610: Digital Downloads: Digital Downloads: The upload button on the edit product screen should only show when the user has the DDLS modify privilege
26743: Module: ptbship: Editing a table to show a redundant ceiling does not display error
26744: Module: wtbship: Editing a table to show a redundant ceiling does not display error
26745: Module: canvat: Incorrect sorting on the Canadian VAT tab
26746: MMBatchList: MMBatchList: Record_Changed should take item as a parameter in order to determine the correct column
26779: Core JSON: JSON_ModuleList_Load_Query should not error when Module_Load_Features has no results
26878: Administrative Interface: License validation error screens have unencoded outputs
Two Factor Authentication - https://docs.miva.com/how-to-guides/two-factor-authentication
Browser Verification - https://docs.miva.com/how-to-guides/browser-verification
User Groups - https://docs.miva.com/how-to-guides/user-groups