8.5.6 Release Notes
New Features
- Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.
Behavioral Improvements
- Added support for translation placeholders (thanks shahroq)
- Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
- Add autocomplete=off to various password fields.
- "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
- Fix default formatting of datetime exports in express export csv (thanks deek87)
- Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)
Bug Fixes
- Fixed error when pages weren’t getting accurately set in the full page cache.
- Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
- Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
- Fix error attaching a Facebook account to a user profile (thanks biplobice)
- Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
- Bug fixes on switching language using the Switch Language block (thanks biplobice)
- Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
- Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
- Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
- Fix to show page drafts created by the current user (thanks hissy)
- Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
Bug fixes to search popup with pagination (thanks deek87, hissy)
Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)
Security Fixes
(Special thanks to Solar Security Research Team and Concrete CMS Japan)
Fixes for High Vulnerabilities *Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
*Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
- Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
- Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text" *Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
Fixes for Medium Vulnerabilities * Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
*Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
*Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
*Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
Fixes for Low Vulnerabilities *Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space. For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager. For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.
*Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
*Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)