Renamed Twitter to “X” in the social networking and social sharing services.
Health: add a link from reports to the "Start a New Report" page (thanks mlocati)
Logs with long paths in their messages no longer display beneath the Dashboard panel in the Logs report.
Packages are now alphabetically sorted in the Dashboard listing interface (thanks JohnTheFish)
Add the package name and version to the package install success message (thanks JohnTheFish)
Translate package name in update message (thanks JohnTheFish)
Bug Fixes
Fixed error when saving a layout preset under PHP 8.
Fixed importing IP access log channels (thanks mlocati)
Fixed issue when importing trees and tree nodes when used with custom classes in packages.
Fixed: we export three custom styles for blocks and areas that we don’t import (thanks mlocati)
Fixed bug where if a file folder was added as a favorited and then deleted in the file manager the user would receive errors when using the file chooser.
Fixed weird behavior when using the content exporter to export pages with scrapbook pasted blocks in them (thanks mlocati)
Fixed importing RSS displayer blocks under certain conditions from CIF XML (thanks mlocati)
Bug fixes to CIF XML files (thanks mlocati)
Fixed: Topic List block: Add missing titleFormat to exported CIF (thanks mlocati)
Bug fixes to importing tree node types (thanks mlocati)
Bug fixes to importing site type skeletons (thanks mlocati)
Fix bug in c5:translate –fill (thanks mlocati)
Bug fixes to editing page types under PHP 8 in certain conditions (thanks mlocati)
Developer Notes
The X social networking service icon is provided as an SVG - meaning that your theme may need to be updated to properly style SVGs as well as font icons when displaying “Share this Page” or “Social Networking” service icons.
Cleanup of CIF XML files (thanks mlocati)
Improvements to the Xml service class (thanks mlocati)
We now accept boolean-like values when importing booleans from CIF XML files (thanks mlocati)
Security Fixes
Fixed CVE-2023-44762 Reflected XSS in Tags with commit 11764 This vulnerability only affects only Concrete version 9.2 through 9.2.2 since the file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0.
Fixed CVE-2023-48652 Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit with commit 11764 An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. The Concrete CMS Security team scored this 6.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
Fixed CVE-2023-48651 by updating Update Dialog endpoints to only accept Post requests with tokens included with commit 11764 Prior to fix Cross Site Request Forgery (CSRF) to delete files vulnerability is present at /ccm/system/dialogs/file/delete/1/submit. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
Fixed CVE-2023-48653 Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit by updating Dialog endpoints to only accept Post requests with tokens included with commit 11764 for 9.2.3. Prior to fix, an attacker can force an admin to delete events on the site because the event ID is numeric and sequential. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Thanks Veshraj Ghimire for reporting.
Fixed CVE-2023-49337 Stored XSS on Admin Dashboard via /dashboard/system/basics/name with commit 07b4337 The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N Thanks Ramshath MM for reporting H1 2232594. This vulnerability is not present in Concrete 8.5 and below.