Concrete CMS 8.5.12
17 January 2023
Concrete CMS version 8.5.12 is now available (security release).
Upgrading to Concrete CMS 8.5.12
Concrete CMS 8.5.12 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 8.5.12 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron
What's New in Concrete CMS 8.5.12
8.5.12
Bug Fixes
- Fix ZendCacheDriver does not set lifetime properly (thanks hissy)
- Made the legacy_salt functionality easier to read
Developer Updates
- Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
- Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)
- Security Fixes
- See our security release blog post for more information about security fixes.
Medium
- CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43556 Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.
Low
- CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
Not Ranked
- Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
- Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
8.5.11
Bug Fixes
- Fixes for PHP 5.5 compatibility
8.5.10
Bug Fixes
- Fixes for PHP 5.5 compatibility
8.5.9
Bug Fixes
- Fixed inability to upload files when file chunking is disabled.
- Fixed bug that prevented file chunking from also working.
- Reverted code that accidentally made the core require PHP 5.6+ in some situations.
8.5.8
Behavioral Improvements
- JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
- Renamed concrete5 to Concrete CMS and Concrete during the installation process.
- Nicer version history view in add-on update screen (thanks biplobice)
Bug Fixes
- Fixed error that would occur if you deleted an Express entry and then attempted to reorder that same entry on the page before reloading (thanks biplobice)
- Fixed error where users, files and sites weren’t being reindexed when running the index_search_all job.
- Fixed error where copying conversation blocks out from page defaults made them all one instance of the same conversation (thanks hissy)
- Validating Express, User and Page attribute types now works when used with Composer and Expres (thanks hissy)
- Fixed bug in Redis caching backend when saving a primitive value.
- Fixed: when using the Express Form block, and a file is uploaded through the form, it creates two versions of the file, which are seemingly identical (thanks 1stthomas)
- Fixed: Clear old page versions in all site trees when running remove page versions job (thanks Ruud-Zuiderlicht)
- Fixed bug where OAuth2 and sign in as user functionality could lead to someone unintentionally joining their user account to a different account.
- Render single pages like 404, 403, login, register in default site locale (thanks hissy)
- Fixed: : error message doesn't display when upload file failed via drag & drop (thanks hissy)
- Fixed invalid and unhelpful displaying on marketplace connection failures during certain conditions (thanks JohnTheFish)
- Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
- Fixed: Multilingual copy site tree with alias pages (thanks hissy)
- Fix migration bug on fix overlapping start end dates when custom page publishing dates had been set in some cases (thanks hissy)
- Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
Security Fixes
- CKEditor updated from 4.16.2 to 4.18.0 (thanks hissy)
- Remediated CVE-2022-21829 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
- Remediated CVE-2022-30117 - Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
- Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
- Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
- Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: \ old browsers only. When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS Versions 9.0.0 through 9.0.2 as well as 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054