8.5.14 Release Notes

Edit

Improvements?

Let us know by posting here.

Bug Fixes

  • We continue to support TLS 1.2 in Zend Mail (thanks hissy, mlocati)

Security Fixes

  • Fixed CVE-2023-48653 Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit by updating Update Dialog endpoints to only accept Post requests with tokens included with commit 11765 for 8.5.14. Prior to fix, an attacker can force an admin to delete events on the site because the event ID is numeric and sequential. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Thanks Veshraj Ghimire for reporting.
  • Fixed CVE-2023-48650 Stored XSS in Layout Preset Name with commit 11765 in 8.5.14. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Solar Security CMS Research, [d0bby](with https://hackerone.com/d0bby), wezery0, silvereniqma in collaboration for reporting!