Concrete CMS 9.2.7
7 March 2024
Concrete CMS version 9.2.7 is now available (security release).
Upgrading to Concrete CMS 9.2.7
Concrete CMS 9.2.7 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 9.2.7 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron
What's New in Concrete CMS 9.2.7
Security
- Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with commit 11965. A rogue administrator could inject malicious code into the Name field of a Group type which might be executed when users visit the affected page because of insufficient validation of administrator provided data. The Concrete CMS Security team scored this 2.2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting HackerOne 2383192.
Behavioral Improvements
- Improved display of certain UI elements when Concrete was used with non-Bedrock/Bootstrap themes.
- Back to Website button in Dashboard now uses the vanity URL instead of the cID URL (Thanks JohnTheFish)
- Add db charset and collation to environment report (thanks JohnTheFish)
Bug Fixes
- Fixed: Time selector in the calendar event dialog not showing all times.
- Fixed: Undefined array key "value"' in /concrete/attributes/date_time/controller.php under PHP 8.
- Fixed: Undefined array key 0' in /concrete/blocks/calendar_event/controller.php:224 under PHP 8.
- Fix pagination not working in clipboard side panel (thanks quentinnorbert0)
- Fix double encoding when displaying page template name (thanks quentinnorbert0)
- Fixed inability to clear date/time attributes using the built-in HTML datepicker clear link.
- Fixed bug when attempting to do an advanced search by time in the Logs (thanks Quentin-Gach)
- Fixed error where including an ampersand in your site name would cause it to be displayed as & in your site browser title.
- Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in /concrete/blocks/survey/controller.php:206 under PHP 8.
- Fixed: Undefined variable $fID' in /concrete/single_pages/download_file.php:23 under certain conditions in PHP 8.
- Fixed error when attempting to log values that were non-scalar (thanks JohnTheFish)