Skip to content

8.5.6
Compare
Choose a tag to compare
@aembler aembler released this 16 Sep 16:50
· 286 commits to 8.5.x since this release
8.5.6
f9c8e08

New Features

  • Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.

Behavioral Improvements

  • Added support for translation placeholders (thanks shahroq)
  • Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
  • Add autocomplete=off to various password fields.
  • "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
  • Fix default formatting of datetime exports in express export csv (thanks deek87)
  • Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)

Bug Fixes

  • Fixed error when pages weren’t getting accurately set in the full page cache.

  • Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)

  • Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)

  • Fix error attaching a Facebook account to a user profile (thanks biplobice)

  • Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)

  • Bug fixes on switching language using the Switch Language block (thanks biplobice)

  • Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)

  • Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)

  • Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)

  • Fix to show page drafts created by the current user (thanks hissy)

  • Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).

  • Bug fixes to search popup with pagination (thanks deek87, katz, hissy)

  • Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)

Security Fixes

  • Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
  • Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
  • Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
  • Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
  • Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
  • Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
  • Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
  • Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
  • Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
  • Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
  • Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
  • Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
  • Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
    For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
    For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
  • Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
  • Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)

(Special thanks to Solar Security Research Team and Concrete CMS Japan)

Assets 2