8.5.21 Release Notes

Edit

Improvements?

Let us know by posting here.

Behavioral Improvements

  • When importing stacks we first check to see if a stack path exists on the stack node, and fallback to stack name if it does not (thanks mlocati)
  • Block Types: allow exporting NULL, don't "abstract" zeroes on import/export (thanks mlocati)
  • Backported log handling tweaks (thanks SashaMcr)

Bug Fixes

  • Fix exporting aliases of deleted blocks (thanks mlocati)
  • Fixed Copying a Express Entry List gives - Call to a member function getAreaHandle() (already included in version 9, backported)

Security Updates

  • Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.