9.3.3 Release Notes

Edit

Improvements?

Let us know by posting here.

New Features

  • There is now an Add Page button when editing a site in mobile view (thanks hissy)

Behavioral Improvements

  • Improved installation speed.
  • Viewing a Dashboard user search preset and exporting will now properly export just the users in those search results (thanks SashaMcr)
  • Dialogs and panels do not burst out of small screens when editing on mobile devices (thanks hissy)
  • Allow using "secure" cookies automatically for HTTPS requests (thanks mlocati)
  • We now display the particular user that owns the writable directories on installation when checking that those directories are writable fails (thanks mlocati)
  • The Express Form block now uses the email HTML input type for email addresses, enabling better validation (thanks bikerdave)
  • Changed the hardcoded "items per page" to a configurable setting in the file chooser (thanks SashaMcr)
  • Fixed: Indexes for text fields removed after refreshing entities (thanks mlocati)
  • Improved suggested nginx rule for enabling pretty URLs (thanks mlocati)
  • Switch name of Concrete Monolog Cascade package (thanks bikerdave)
  • Better output sanitization in Top Navigation Bar block (thanks hissy)
  • Added additional explanation to the version scheduling interface (thanks KnollElias)

Bug Fixes

  • Fix: mobile editing menu hadn’t worked in version 9 (thanks hissy)
  • Fixing error: The remote updater throws: "The directory %s already exists. Perhaps this item has already been installed." when attempting to run the remote updater.
  • Updated verbiage on old featured theme and featured add-on Dashboard notification blocks, in case they’re installed on some older upgraded sites.
  • Fixed error on some sites when accidentally including a malformed package in the packages/ directory (thanks mlocati)
  • Fixed: Custom topic of page list block doesn't get saved (thanks hissy)
  • Fixed: Calendar Events with Versions created by Deleted Users Cannot be Edited
  • Fix type of "length" ORM annotation in SearchResult Health entity (thanks mlocati)
  • Fixed possible errors when using the Switch Language block to switch languages (thanks biplobice)
  • Fixed errors attempting to link over to the marketplace when the Concrete site in question does not have a public and private marketplace key (thanks pszostok)
  • Fixed: Share this Page “Print” option does not work.
  • Removed ID from X sharing service icon, because adding it to the page multiple times could cause W3C validation to complain (thanks quentinnorbert0)
  • Fixed error where third party library zircote/swagger-php could block installation of Concrete in Composer installations.
  • Fixed error related to lingering version block entries in the database persisting after they should be deleted under very specific circumstances (thanks bleenders)
  • Fixed: Error thrown when trying to save user attribute under very specific circumstances (thanks mnakalay)
  • Fixed: Foreign key constraint violation when deleting users associated with Board InstanceSlotRules

Developer Updates

  • Translation library parsers can now be customized and extended (thanks mlocati)

Security Updates

  • Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824

  • Fixed CVE-2024-4353 Stored XSS in Generate Board Name Input Field commit 12151. Prior to the fix, the name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N and a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete versions below 9 are not affected by this vulnerability. Thanks fhAnso for reporting HackerOne 2597394

  • Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288

  • Fixed CVE-2024-7512 Stored XSS in Board instances by sanitizing instance names with commit https://github.com/concretecms/concretecms/pull/12151. Prior to the fix a rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected.Thanks m3dium for reporting HackerOne 2486344.

  • Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824

  • Concrete v.9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. Thanks Yusuke Uchida for reporting HackerOne 2399192.