Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.
See Magento Security Center for a comprehensive discussion of these issues. All exploitable security issues fixed in this release (2.1.15) have been ported to 2.2.6, 18.104.22.168, and 22.214.171.124, as appropriate.
Magento 2.1.15 conrtains 25 security fixes and enhancements. See Magento Security Center for more information.
In addition to security enhancements, this release contains the following functional fixes.
Installation, configuration, and deployment
- The Module Manager now correctly displays the list of modules (System > Tools > Web Setup Wizard > Module Manager). Previously, Magento threw an error when you tried to display the module list. Fix submitted by Vijay Golani in pull request 15756. GitHub-15192
- Banners are now visible only when their associated rules are applied.
- The Magento\Catalog\Model\ResourceModel\Category\Collection::joinUrlRewrite method now uses the storeId value set on the actual collection of the store rather than the storeId retrieved from the store manager. Fix submitted by Alessandro Pagnin in pull request 13756. GitHub-13704
- Magento now uses data-container="product-list" instead of data-container="product-grid" when displaying a product list. Fix submitted by Viral Vasara in pull request 15816. GitHub-15319
- The minicart now displays product names that contain special characters. Fix submitted by ampulos in pull request 14665. GitHub-13652
- You can now successfully upload logo images in Internet Explorer. Previously, Magento did not upload the image, but instead displayed this error: Object doesn't support property or method 'set'.
- CSS minification is now compatible with CSS3 calc() function. GitHub-8552
- Magento now preserves the user group ID when using /V1/customers/:customerId (PUT). Previously, Magento set the customer group ID to 1 when you called /V1/customers/:customerId (PUT) and the customer had an assigned group ID. Fix submitted by André Ferraz in pull request 14757. GitHub-14663
- Magento now supports Canadian Postal codes without spaces as expected. Fix submitted by Hitesh in pull request 16031. GitHub-13899
- Administrators can now add a parameter to app/etc/env.php: user_admin_email. This parameter ensures that when a new administrator account is created, Magento sends an email to default store’s email and, if present, to an email address defined in user_admin_email.
- Magento now leaves at least one record after cleaning up the changelog tables after restarting MySQL. Previously, the product version_id lost the most recent auro_increment value after restarting MySQL. Fix submitted by Oleksandr Kravchuk in pull request 14471. GitHub-14465
- Magento now displays custom price symbols as expected. Previously, when a merchant created variations of a configurable product, product prices were not readable if they contained a custom price symbol. Fix submitted by Yaroslav Rogoza in pull request 14471. GitHub-14902
- Magento now correctly aligns submenus. Fix submitted by Dmytro Cheshun in pull request 15714. GitHub-7897
- Magento now supports Malaysian locales. Fix submitted by Dmytro Cheshun in pull request 15927. GitHub-14089
- The product video feature is now GDPR-compliant.
- Magento now checks that a product is assigned to a specific website in a multistore environment before a customer can write a product review. Previously, a customer could write a review for a product that was not assigned to the store they were logged in to. Fix submitted by afirlejczyk in pull request 14673.
- The transport event parameter has been changed from type Array() to type DataObject. This is a reversion of a change that was made in an earlier release. Fix submitted by gwharton in pull request 16601. GitHub-10210
- Merchants can now place an order for a grouped product where the quantity of subproducts is less than one unit. Fix submitted by Yaroslav Rogoza in pull request 15407. GitHub-14692
- Magento now sets the trigger_recollect attribute back to 0 after collecting total amounts for the quote. Previously, Magento timed out if a customer tried to reload a quote. Fix submitted by Yaroslav Rogoza in pull request 15522. GitHub-9580
- Magento no longer recalculates prices unnecessarily when refreshing the Catalog page, which has improved product performance. Fix submitted by Jeroen Van Leusden in pull request 15445. GitHub-14941
- The annotation for the formatDateTime function in the lib/internal/Magento/Framework/Stdlib/DateTime/TimezoneInterface.php file has been corrected. The locale and timezone have been changed to param string|null $locale and @param string|null $timezone. Fix submitted by Vishal Gelani in pull request 15668. GitHub-15668
- The annotation for the formatDateTime function in the lib/internal/Magento/Framework/Stdlib/DateTime/TimezoneInterface.php file has been corrected. The locale and timezone have been changed to param string|null $locale and @param string|null $timezone. Fix submitted by Vishal Gelani in pull request 15669. GitHub-15601
- The misspelling of setCategoryIds has been corrected throughout the code base. Fix submitted by Viral Vasara in pull request 15814.
- Customers can now successfully download and export PDFs after logging in. Previously, customers were redirected to the Admin when trying to download or export data to a PDF right after logging in. Fix submitted by Sanjay Patel in pull request 15767. GitHub-15510
- select elements now display with the styles you set in _theme.less as expected. Fix submitted by Hitesh in pull request 15796. GitHub-15608
- Client-side email validation now works in Internet Explorer 11.x the same way as it does in Chrome. Previously, a leading or trailing space on the following pages resulted in client-side validation failure in Magento stores deployed on Internet Explorer 11.x. Fix submitted by Piyush Dankhara in pull requests 15874 and 16297. GitHub-6058
- Customer Account Login page email field
- Customer Account create page
- Customer Authentication popup when the Allow Guest Checkout is set to No
- Customer Account Login page email field
- .limiter now has the same parent selectors (similar to .pages) to prevent clashes between styles and layouts. Previously, .limiter was too generic and was used as single selector for floating the element. Fix submitted by Hitesh in pull request 15880. GitHub-15323
- Changing the @tab-content__border variable now affects on the tabs content border as expected. Fix submitted by Hitesh in pull request 15917. GitHub-14999
- The Multiple Payment Methods Enabled setting now works as expected. Previously, Magento threw this error when this setting was enabled: Found 3 Elements with non-unique Id. Fix submitted by Viral Vasarain pull request 15834. GitHub-15348
- Primary buttons now have new LESS variables that permit you to change font-weight, font-size, and font-family without changing default button attributes. Fix submitted by Chirag Matholiya in pull request 16037. GitHub-15832
- We’ve added a space between the category page and the main footer on pages using a single column layout. Fix submitted by Sanjay Patel in pull request 15727 GitHub-12601
- Customers can now successfully log in after resetting their password. Previously, Magento displayed this error “You did not sign in correctly or your account is temporarily disabled” even though the new password hash had been updated in the customer entity. Fix submitted by Vishal Gelani in pull request 16255. GitHub-15255
- Magento no longer displays duplicate element IDs for gift messages in the checkout page. Fix submitted by Chirag Matholiya in pull request 16264. GitHub-13415
- Magento now correctly aligns page elements on the home page and category page of the Hot Seller section. Fix submitted by Chirag Matholiya in pull request 16287. GitHub-15213
- Fixed issues with the jQuery UI DatePicker’s display of sequential months. Fix submitted by Burlacu Vasiliiin pull request 16280. GitHub-7379
- The clickableOverlay option in modals now works as expected. Fix submitted by Prince Patel in pull request 16665. GitHub-7399
- Users assigned a Restricted User role no longer receive the message Something went wrong when viewing orders.
- Magento no longer unnecessarily displays this warning when a customer opens a product page: The property price is not valid. GitHub-7173
- The Layout.eventManager now correctly dispatches the layout_render_before events before Magento renders the current layout.
- The Shipping and Estimate Tax page now correctly displays country, city, and postal code fields. Fix submitted by Vishal Gelani in pull request 16491. GitHub-8222
- Magento now displays the newsletter subscription confirmation message as expected after a customer clicks the confirmation link in the subscription confirmation email. Fix submitted by Rahul Kachhadiya in pull request 15860. GitHub-14747
- Magento no longer throws an error when trying to load the quote item collection using the Magento\Quote\Model\ResourceModel\QuoteItem\Collection::getItems() method. Fix submitted by Neeta Kangiya in pull request 15829.
- Magento now supports GNU free fonts in invoice and shipment PDFs. Previously, PDFs containing Arabic, Russian, Greek, Indian, or Thai alphabets did not correctly render those characters. Fix submitted by Ross in pull request 15829. GitHub-9666, GitHub-12323
- An exported invoice’s CSV file now contains information specific to the selected invoice only. Previously, when you selected Invoices > Export > CSV, and opened the CSV file, the exported file contained information from more than the selected invoice. Fix submitted by Yaroslav Rogoza in pull request 14903.
- The incorrect type hinting in PHPDocs has been corrected. Fix submitted by Dmytro Cheshun in pull request 15619. GitHub-13992
- You can now use the Enter key to submit a search form. Fix submitted by Vishal Gelani in pull request 16281. GitHub-13793
- XML sitemap generation can now be scheduled. Fix submitted by Yaroslav Rogoza in pull request 15159. GitHub-5768
- The REST API schema is now compatible with search criteria. The searchCriteria parameters builder now contains a zero index to the array signifier, which supports generation of the correct response when a user tests a method with search criteria parameters in Swagger. Fix submitted by Vishal Gelani in pull request 15945. GitHub-11477