8.5.6 Release Notes


Let us know by posting here.

New Features

  • Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.

Behavioral Improvements

  • Added support for translation placeholders (thanks shahroq)
  • Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
  • Add autocomplete=off to various password fields.
  • "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
  • Fix default formatting of datetime exports in express export csv (thanks deek87)
  • Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)

Bug Fixes

  • Fixed error when pages weren’t getting accurately set in the full page cache.
  • Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
  • Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
  • Fix error attaching a Facebook account to a user profile (thanks biplobice)
  • Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
  • Bug fixes on switching language using the Switch Language block (thanks biplobice)
  • Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
  • Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
  • Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
  • Fix to show page drafts created by the current user (thanks hissy)
  • Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
  • Bug fixes to search popup with pagination (thanks deek87, hissy)

  • Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)

Security Fixes

(Special thanks to Solar Security Research Team and Concrete CMS Japan)

Fixes for High Vulnerabilities *Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression

*Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression

  • Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
  • Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text" *Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization

Fixes for Medium Vulnerabilities * Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)

  • Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF

  • Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer

  • Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options

*Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)

*Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option

*Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint

Fixes for Low Vulnerabilities *Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space. For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager. For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap.

*Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.

*Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)

Developer Updates