Fortinet’s FortiGuard Labs has discovered a persistent XSS attack that is recorded with CVE number “CVE-2015-3619”. This kind of attack can be executed with almost nil interaction by the admin. In certain circumstances it was possible to use a double encode combination of first_name, last_name and company to create a working javascript, which gets activated if an admin hoovers over the combined name of the order.

VirtueMart 3.0.8 has been released as a necessity to deal with some security problems that are arisen from previous versions. Besides fixing bugs, VirtueMart teams also added some features on this new version. Now, let's take closer look on VirtueMart 3.0.8.

VirtueMart 3.0.4 is an early release which successfully dealt with a wrong error report setting, which can reveal the used server path for the real attack.