Concrete 5 CMS v8.5.6 Release Notes
-
π New Features
- β Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.
Behavioral Improvements
- β Added support for translation placeholders (thanks shahroq)
- π» Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
- β Add autocomplete=off to various password fields.
- β‘οΈ "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
- π Fix default formatting of datetime exports in express export csv (thanks deek87)
- π Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)
π Bug Fixes
- π Fixed error when pages werenβt getting accurately set in the full page cache.
- π Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
- β Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
- π Fix error attaching a Facebook account to a user profile (thanks biplobice)
- π Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
- π Bug fixes on switching language using the Switch Language block (thanks biplobice)
- π Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
- π Fixed bug where layouts canβt be moved above blocks (thanks Haeflimi)
- π Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
- π Fix to show page drafts created by the current user (thanks hissy)
- π Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
π Bug fixes to search popup with pagination (thanks deek87, katz, hissy)
π Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)
π Security Fixes
π (Special thanks to Solar Security Research Team and Concrete CMS Japan)
- π Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
- π Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
- π Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
- π Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
- π Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
- π Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
- π Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
- π Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
- π Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
- π Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
- π Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
- π Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
- π Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
- For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
- For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
- π Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
- π Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)