Concrete 5 CMS v8.5.6 Release Notes

  • πŸ†• New Features

    • βž• Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.

    Behavioral Improvements

    • βž• Added support for translation placeholders (thanks shahroq)
    • πŸ’» Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
    • βž• Add autocomplete=off to various password fields.
    • ⚑️ "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
    • πŸ›  Fix default formatting of datetime exports in express export csv (thanks deek87)
    • πŸ‘Œ Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)

    πŸ› Bug Fixes

    • πŸ›  Fixed error when pages weren’t getting accurately set in the full page cache.
    • πŸ›  Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
    • βž• Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
    • πŸ›  Fix error attaching a Facebook account to a user profile (thanks biplobice)
    • πŸ›  Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
    • πŸ› Bug fixes on switching language using the Switch Language block (thanks biplobice)
    • πŸ›  Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
    • πŸ›  Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
    • πŸ›  Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
    • πŸ›  Fix to show page drafts created by the current user (thanks hissy)
    • πŸ›  Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
    • πŸ› Bug fixes to search popup with pagination (thanks deek87, katz, hissy)

    • πŸ›  Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)

    πŸ”’ Security Fixes

    πŸ”’ (Special thanks to Solar Security Research Team and Concrete CMS Japan)

    • πŸ›  Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
    • πŸ›  Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
    • πŸ›  Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
    • πŸ›  Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
    • πŸ›  Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
    • πŸ›  Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
    • πŸ›  Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
    • πŸ›  Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
    • πŸ›  Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
    • πŸ›  Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
    • πŸ›  Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
    • πŸ›  Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
    • πŸ›  Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
    • For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
    • For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
    • πŸ›  Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
    • πŸ›  Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)