Behavioral Improvements
- Improvements to scheduled page version publishing (thanks hissy).
- Fixed login welcome back/desktop in Atomik theme (previously had JavaScript errors.)
- Performance improvements when retrieving access entities for users (thanks hissy)
- Updated translation library to 1.7.0 to allow 9.0 to be fully translated (thanks mlocati)
Bug Fixes
- Fixed error when installing Elemental on PHP 8 (https://github.com/concrete5/concrete5/issues/10003)
- Many display issues fixed when browsing marketplace from within your 9.0 site.
- Fixed issue where updating from 8.5.6 would disable concrete extensions in rich text editor.
- Fixed Unknown column 'folderItemName' in 'field list’ in folder item list custom code used by add-ons.
- Fixed time dropdowns not working when editing a calendar event.
- Fixed inability to install 9.0 with Composer.
- Fixed some missing social icons for social link types.
- Fixed inability for legacy LESS themes to support rgb and rgba colors.
- Fixed broken Dashboard page: Excluded URL Word List
- Fixed inability to see proper options selected when editing user attribute key.
- Fixed ImageValue::setImageFileID() must be of the type int, string given when updating some legacy theme customizer values (thanks martinkouba)
- Fixed page summary templates link not working in page design panel.
- Fixed inability to open block custom design toolbar in PHP 8.
- Bug fixes to theme updates that use the text type customizer in certain situations (thanks martinkouba)
- Fixed: Non super admin cannot move a block pasted from clipboard (thanks jaromirdalecky)
- Bug fixes to legacy theme customizer with themes that used the same variable for different variable types.
- Fixed error Base table or view not found: 1146 Tablemessengerscheduledtasks' doesn't exist when upgrading from 8.5.x to 9.0.
- Fixed: Country select menu has the
form-control
class instead of form-select
.
Developer Updates
- Banned Words validation service classes completely refactored and modernized (thanks hissy)
- Make it so users can disable core middlewares (thanks mlocati)
Security Fixes
- Fixed CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers and b. SSRF Mitigation Bypass through DNS Rebinding. Concrete now disabes all local IPs through the remote file uploading interface. Concrete CMS security team gave this a CVSS v3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N This CVE is shared with HackerOne Reports #1364797 (Thanks Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and #1360016 (Thanks Bipul Jaiswal) This fix is also in Concrete v 8.5.7