The security firm sucuri.net audited HikaShop and found a security issue involving the activation of the users after the registration process of HikaShop.

The only cases where it is not a problem is if you deactivated the user registration or the user activation in the options of the Joomla user manager.

Otherwise, you'll have to either update your HikaShop to 2.3.3 or patch your current version.

We extended the expired subscriptions of all our commercial editions of HikaShop to the 10th of October so that anyone can update their HikaShop easily by going in the menu "My account > My subscriptions" on our website, downloading the latest version and then installing it via the Joomla installer on their website.

If, nevertheless, you have customized HikaShop and cannot/don't want to update, you can apply the patch below:

In the file administrator/components/com_hikashop/classes/user.php, replace the line:

$vars = urlencode(base64_encode(serialize(array('passwd'=>$this->registerData->password,'username'=>$this->registerData->username))));

with:

$vars = urlencode(base64_encode(json_encode(array('passwd'=>$this->registerData->password,'username'=>$this->registerData->username))));

And in the file components/com_hikashop/controllers/checkout.php, replace the line:

$infos = unserialize(base64_decode($infos));

with:

$infos = json_decode(base64_decode($infos),true);

 

Regarding HikaMarket, a similar security issue exists in the versions 1.4.2 and 1.4.3 of the Multivendor edition. We also extended the subscriptions for users who have downloaded HikaMarket multivendor 1.4.2 or 1.4.3.
If you have one of these versions, please update as soon as possible.

HikaMarket Front-end and HikaMarket Multivendor below 1.4.2 are not impacted with the issue