Search

FaxStore Changelogs

1.x.x
1.0.0 - Initial Release
1.0.1 - Release 1.1
1.2.0 - Release 1.2
1.3.0 - Release 1.3
1.4.0 - Release 1.4
1.6.0 - Stripe Integration
1.6.1 - Hotfix
1.7.0 - General Pages
1.8.1 - Login Options
1.8.2 - Bug Fixes
1.8.3 - Minor Update
1.9.0 - More Listing Types
1.9.1 - Release 1.9.1
1.9.2 - Emails and Custom Invoicing
1.9.3 - Fatal Error Fix
2.x.x
2.0 - Displays & Themes
2.0.1 - Hot Fix
2.0.4 - Tracked Fixes
2.1.0 - Tax & Secondary Payments
2.1.1 - Bug Fixes
2.1.2 - Checkout Fix
2.2.0 - Forms & New Permissions
2.2.1 - Bug Exterminators
2.2.5 - A Refined Place
2.3.0 - Time to Square up!
2.3.2 - Automatic Updates
2.3.6 - Security vulnerability fix
2.3.9 - Invalid "code" in request fix
2.3.12 - Standard Logins (SL)
2.4.0 - Packages & Quotes
2.4.1 - Mobile View
2.4.5 - Account 2FA
2.4.6 - Corrections
2.5.0 - Tebby Integration
2.5.1 - Recovery One
2.6.0 - Spring Cleaning
2.6.1 - Username Checks & Dev Mode
2.6.2 - Recovery One
2.6.3 - Recovery Two
2.6.4 - Security Release
2.6.5 - Adding Items to Users
2.6.6 - Discord Promotion Code Fix
2.7.0 - Staff Panel Redesign
2.7.1 - Pause Discount Codes
2.7.2 - Customer View & Search Bar
2.7.3 - I'm Silly & Forgot a Bug

Weblutions Documentation > FaxStore Changelogs > 2.x.x > 2.6.4 - Security Release

2.6.4 - Security Release

This update resolves two security issues identified by users on FaxStore. It is highly recommended to update to this version to resolve these risks on your store.

These security risks don't expose any data. See the security report - https://weblutions.com/u/lpEHEQ.pdf

• Fixed an issue where payment receipts were not generating - #2188
• Fixed an issue in the recently added addDiscordRole and removeDiscordRole events which caused a 404 Discord error
• Fixed an issue with Order item types would display differently when editing the listing - #2189
• Investigated a possible error coming from the new Discord bot builder, this was dismissed - #2190

SECREP; Stripe Return Bypass

As mentioned in the released FaxStore Security Issue Notification an issue where Stripe payments could be bypassed has been resolved in this build. We can confirm this only effected Stripe checkouts and not PayPal and Square.

Thank you to user giga.nixx for reporting this issue to Weblutions, we'll be in contact with this user for a cash reward as per our Security Task Force page.

SQL Syntax Injection

We also resolved an internal SQL injection issue. Luckily this isn't exposed publicly and gives no risk to stores unless a OWNER permission level user were to use it in a store settings page form.

---

Related Articles

---

Suggest an edit

Review this page

• Login