View what's in this topicSecurity Issue with uStore’s Single Sign on API
uStore’s Single Sign-on (SSO) WS API enables to generate a URL for seamless login to the Storefront.
A vulnerability was detected which enabled to generate a URL on one server and use it on any other server, resulting in seamless log in to stores on other servers.
Patch #721 was created to solve this issue.
Integration considerations
Resulting from this patch, the content of the single sign-on URL has changed. URLs generated prior to the patch will no longer be valid and will not work.
If your code generated URLs prior to the patch and stored
them for later use, you will need to either regenerate the URLs or follow
the best practice, as follows:
each time a seamless login to the Storefront is needed, call the single
sign-on WS API to generate a new URL.
Note: Systems using uStoreConnect are most likely using single sign-on API, thus integration needs to be revisited.
Applying the patch
-
For systems using uStore 8.1 or higher, log in to the Back Office and go to Presets > XMPie Services > Check for new updates. Install patch #721.
-
For systems using uStore 8.0 or lower, contact Support for an upgrade.
Created by: Guy Schreiber, last updated: December 18, 2016