Concrete CMS 9.2.6
15 February 2024
Concrete CMS version 9.2.6 is now available (security release).
Upgrading to Concrete CMS 9.2.6
Concrete CMS 9.2.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 9.2.6 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron
What's New in Concrete CMS 9.2.6
Security
- Fixed CVE-2024-1245 Stored XSS in file tags and description attribute with commit 11927 Administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page in version 9 before 9.2.5. A rogue administrator could put malicious code into the file tags or description attribute and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions below 9. Thanks Poto Gabor for reporting Hackerone 2309264.
- Fixed CVE-2024-1246 Reflected XSS in Image URL Import Feature with commit 11927. There is insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. Thanks cupc4k3 for reporting Hackerone 2337524
- Fixed CVE-2024-1247 Stored XSS in “Role Name” field with commit 11927. There is insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code into the "Role Name" field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks cupc4k3 for reporting Hackerone 2337519.
Backward Compatibility Notes
- If you have implemented your own bulk editing interface using the Attribute\Key\Component\KeySelector\ControllerTrait class, you’ll need to modify your canEditAttributeKey method to include the object as its second parameter. See concrete/controllers/dialog/page/bulk/properties.php for an example. (This is not common.)
9.2.6
Big Fixes and Changes
- Removed some extraneous and unnecessary files from the ckeditor js/ directory.
- Fixed “CKEditor is not secure” notice when loading CKEditor.
- Fixed 400 (Bad Request) on download image from detail popup.
9.2.5
Highlights
- Added an “Ignore Permissions” field to the Top Navigation Bar block (thanks SashaMcr)
Big Fixes and Changes
- We now show Doctrine development mode in our environment information reports (thanks JohnTheFish)
- If your Concrete installation is configured to use less than the recommended amount of RAM, console commands will now warn you that they might behave erratically.
- Removing a block control from the Composer form will now remove all the output controls in page defaults.
- Stylesheets output by the style customizer now append the ccm_nocache value, ensuring that clearing the site’s cache and other upgrade operations will properly force CSS files to be refreshed (thanks danklassen)
- Improve the display of the Express Forms Dashboard page (thanks shahroq)
- Removed direct reference to $_REQUEST parameter in the search block view template (thanks shahroq)
- File folder ID is now present in the response for all file REST API operations.
- File identifier is now available on the File Manager Details page, along with a note specifying this must be used for API calls.
- Fixed redirect to home page that happened when attempting to edit page type defaults.
- Fixed error when attempting to edit a Composer output control block that had been divorced from a page type and page template (thanks JohnTheFish)
- Fixed error complaining about undefined chooseCalendar field when installing Atomik theme documentation.
- Fixed bug where viewing a saved search in of an Express object and then exporting the CSV would export all values, not just those included in the saved search.
- Fixed: When performing a full content swap, there were some occasions where not all frontend pages were removed (thanks mlocati).
- Fixed bug where Twitter/X social icon was not displaying properly in Safari/iOS.
- Fixed issue where Atomik skins were not using the proper colors defined by the customizer and were instead using Bootstrap defaults.
- Reverting update that changed the name of an Express object if it was re-named in the frontend Express form block, as it had unintended consequences.
- Fixed "Access denied" error when trying to add an attribute from the properties menu in the page search dashboard as a non-super-admin.
- Fixed: Express DateTime attribute can save with incorrect timezone when user timezone is set.
- Fix: uninstalling package task failed when process or scheduling still exists (thanks hissy)
- Fixed error where editing advanced block settings multiple times in a row without reloading the browser would result in an error.
- Fixed: Default summary template could throw errors if page descriptions were undefined in PHP 8.
- Fixed bug where summary templates for calendar events might not be properly populated on the first event creation.
- Fixed bug where setting a custom skin on a page version would be reset to the default skin when the next version of the page was created.
- Fixed error where Tags block was never refreshed when adding a new property to it in a previous version.
- Fixed: Unable to uncheck "Ignore page permissions" option on save Page List (thanks SashaMcr)
- Fixed: Unable to uncheck "enable pagination" option on save express entry list block (thanks shahroq)
- Fixed "Undefined array key 0" when viewing page with empty Attribute with Topic Tree (thanks shahroq)
- Fixed bug that rendered the upload file REST API endpoint broken.
- Fixed Cannot install concrete 9.2.4 with composer and php8.2
Developer Updates
- CKEditor updated to 4.22.1.
- Bedrock updated to 1.4.14.
- formatSize() now supports sizes beyond gigabytes (thanks mlocati)
- Added an auto-populated SCSS variable named concrete-theme-path that will contain the relative path to the current Concrete theme, allowing developers to reliably use background images in SCSS files with the customizer while still supporting themes that may shift locations or be installed in subdirectories of websites. See https://forums.concretecms.org/t/theme-development-compiling-sass-files-including-paths/6292/4 for implementation details.
- Add parentID as an optional parameter to Node::getByName (thanks krebbi)