Interchange News
-
Admin XSS security vulnerabilities fixed (CVE-2020-12685)
Posted on May 14, 2020 by Jon Jensen
The Interchange admin in versions 4.7.0 through 5.11.x (before 2020-05-15) was vulnerable to cross-site scripting (XSS) injection attacks in the help and quicklinks pages.
Attackers could use browser JavaScript to steal client-side credentials such as a session cookie or delivered page data. The attack type is reflected XSS, active for a single page request via tainted link, not stored in the database or in page files or reusably in the session.
This was found and reported by Sean Fernandez. Thank you very much! It has been assigned the identifier CVE-2020-12685.
To resolve the problem, apply the patch from commit 243ab0eea0a, or download the new versions of the 2 corrected files:
u1=https://raw.githubusercontent.com/interchange/interchange/243ab0eea0ae1d8d8f3e333128349f104b7e04bf u2=$u1/dist/lib/UI/pages/admin curl --remote-name-all $u2/help.html $u2/quicklinks.html
Then copy them into place in your global admin installation:
cp help.html quicklinks.html /path/to/interchange/lib/UI/pages/admin/
If you made catalog-local copies to customize those files, you will need to apply the fixes there manually in /path/to/catalog/pages/admin/.
Restarting the Interchange daemon is not necessary.
The nightly build now includes the fixes, as will the upcoming 5.12.0 release.
News archive
- 2023-03-21: Interchange 3rd-party tax support for TaxJar & Avalara
- 2023-03-06: Alternate CGI link connector in Rust now available
- 2021-05-20: IRC chat channel #interchange moves to Libera Chat
- 2020-08-26: Marco Pessotto joins Interchange core developer team
- 2020-05-14: Admin XSS security vulnerabilities fixed (CVE-2020-12685)
- 2020-04-25: Project website refresh
- 2020-03-01: Interchange 5.12.0 release candidate 1
- 2018-11-22: Domain and server move
- 2016-01-06: Interchange 5.10.0 Released!
- 2015-12-30: 2015 Perl Dancer Conference reports
- 2015-08-20: New template for Interchange
- 2015-08-18: 2015 Perl Dancer Conference
- 2014-10-13: Core team changes
- 2014-08-22: Perl::Dancer Conference 2014
- 2014-07-07: Interchange 5.8.2 stable release
- 2014-07-02: Interchange6::Cart Hackathon on 14 July 2014
- 2014-06-25: Perusion developers release two new Bootstrap based templates for use with Interchange
- 2014-03-13: Interchange 5.8.1 stable release
- 2014-02-26: Interchange 6 Hackathon
- 2013-10-30: Ecommerce Innovation conference report
- 2013-07-19: Interchange 5.8.0 stable release
- 2013-03-18: eCommerce Innovations 2013 Conference
- 2013-02-13: Extensive Hall of Fame updates
- 2012-12-28: Josh Lavin joins Interchange core team
- 2011-06-12: Interchange 5.7.7 development release
- 2011-04-14: IRC Meeting Report
- 2011-03-28: Interchange IRC Meeting: April 14, 2011
- 2010-03-24: Interchange security releases: 5.7.6, 5.6.3, 5.4.5
- 2010-02-23: Interchange 5.7.5 development release
- 2009-12-09: Interchange 5.7.4 development release
- 2009-11-05: Interchange 5.7.3 development release
- 2009-09-17: Interchange security releases: 5.7.2, 5.6.2, 5.4.4
- 2009-08-23: Next Interchange community meeting
- 2009-08-13: David Christensen joins core team
- 2009-08-12: Payflow Pro legacy API retirement on September 1
- 2009-05-25: Interchange source code migrated to Git
- 2009-05-19: LinuxTag 2009
- 2009-05-13: Experimental UTF-8 branch
- 2008-12-05: JT Justman joins the Interchange core team
- 2008-11-13: Interchange 5.4.3, 5.6.1, 5.7.1 released
- 2008-06-01: Back from LinuxTag
- 2008-05-21: Interchange 5.6.0 released
- 2008-05-17: Interchange 5.5.3 development released
- 2008-05-08: Interchange at LinuxTag 2008!
- 2008-04-29: Interchange 5.5.2 development release available
- 2007-08-21: Interchange 5.5.1 development release available
- 2007-08-08: Bug Squashing Party
- 2007-06-18: New Debian Packages (5.4.2-3)
- 2007-06-13: Debian Packages for Etch
- 2007-04-05: Interchange goes to LinuxTag!
- 2007-02-27: Ron Phipps joins the Interchange core team
- 2007-02-07: Interchange 5.4.2 released
- 2006-08-28: New Developers pajamian and thunder
- 2006-05-26: Interchange 5.4.1 released
- 2006-03-28: Improved search system on www.icdevgroup.org
- 2006-03-27: [/page] and [/order] macros
- 2006-03-25: XMLDOCS documentation
- 2006-01-31: Development tree notice
- 2005-12-31: Interchange 5.4 release
- 2005-12-12: Interchange 5.3.3 developer release
- 2005-12-12: New ICDEVGROUP website
- 2005-11-23: Interchange 5.3.2 beta release available
- 2005-11-08: PayPal Pro Payments Module
- 2005-10-18: Interchange 5.4 (stable) release schedule
- 2005-09-23: Security flaw found in Interchange demo
- 2005-06-07: Admin UI Documentation
- 2004-05-05: Interchange 5.2.0 released
- 2004-04-20: Interchange 5.1.1 beta now available
- 2004-04-20: Business::OnlinePayment support for Interchange
- 2004-04-12: Interchange 5.1.0 beta released
- 2004-03-29: Interchange 5.0.1 and 4.8.9 released
- 2003-12-15: Interchange 5.0 released
- 2003-11-12: Interchange User fMRIDC.org in Infoworld Top 100
- 2003-10-31: Interchange 4.9.9 released
- 2003-06-19: Interchange 4.9.8 released
- 2003-01-30: Interchange 4.8.7 released
- 2002-12-19: Interchange Documentation Wiki
- 2002-12-12: interchange.rtfm.info
- 2002-12-12: Interchange 4.9.5 Released
- 2002-12-02: Interchange 4.9.4 released
- 2002-11-14: Order Fulfillment: The E-Commerce Deal Breaker
- 2002-10-28: Interchange on front cover of Linux Magazine
- 2002-10-28: Some docs for Interchange 4.9
- 2002-10-26: Whither Red Hat?
- 2002-10-21: New web site look and feel, new server provider
- 2002-09-25: Interchange 4.9.3 Nightly Build Available
- 2002-08-18: Interchange 4.8.6 released — IMPORTANT upgrade
- 2002-07-22: Interchange 4.9.1 alpha released
- 2002-05-06: Interchange 4.8.5 released
- 2002-05-02: Interchange 4.8.4 patch
- 2002-04-30: Interchange 4.8.4 released
- 2001-12-04: Updates to the Developers Site
- 2001-11-28: Interchange Application Server WebCast
- 2001-11-28: Interchange 4.8.3 released
- 2001-11-19: WebTechniques reviews Red Hat E-Commerce Suite
- 2001-11-08: ZDNet Review of the Red Hat E-Commerce Suite
- 2001-10-16: Linux-Magazin (German) Interchange article
- 2001-09-24: Red Hat E-commerce Suite available for purchase
- 2001-09-20: IDC white paper on Red Hat e-commerce available
- 2001-09-20: Upcoming Webcast on Interchange
- 2001-09-19: Interchange 4.8.2 released
- 2001-08-14: Printed Interchange documentation available
- 2001-08-13: Interchange 4.8.1 released
- 2001-07-26: Interchange 4.7.7 beta released
- 2001-07-18: Interchange 4.7.6 beta released
- 2001-07-03: Development release of Interchange 4.7.5
- 2001-06-16: Development release of Interchange 4.7.4
- 2001-06-12: Development release of Interchange 4.7.3
- 2001-06-12: Interchange Training Classes
- 2001-05-10: Development release of Interchange 4.7.2
- 2001-04-17: Interchange 4.6.5 released
- 2001-04-01: Interchange 4.6.4 released
- 2001-03-28: Development release of Interchange 4.7.1
- 2001-03-19: About Interchange
- 2001-03-01: Interchange Surveys
- 2001-03-01: Interchange Tutorial
- 2001-02-09: Interchange 4.6.3 released
- 2001-02-08: Interchange 4.6.2 released
- 2001-02-06: Red Hat Acquires Akopia and Interchange
- 2001-02-04: #interchange channel on IRC
- 2000-12-03: Interchange 4.6.1 released
- 2000-10-27: Interchange 4.6.0 released
- 2000-10-20: Interchange 4.5.8 beta released
- 2000-10-19: Overhauled documentation available
- 2000-10-06: Interchange 4.5.7 beta released
- 2000-09-26: Interchange 4.5.6 beta released
- 2000-08-10: Akopia Developer Resource site launched