Concrete CMS 9.3.4
11 September 2024
Concrete CMS version 9.3.4 is now available (security release).
Upgrading to Concrete CMS 9.3.4
Concrete CMS 9.3.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 9.3.4 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron
What's New in Concrete CMS 9.3.4
Security Updates
- Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183 for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.
- Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.
- Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
- Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
New Features
- Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)
Behavioral Improvements
- Added Discord to Social Links (thanks RLHawk1)
- We now require the redirect URL when adding a new API integration (thanks mlocati)
- Canonical URL is now validated when saving (thanks hissy)
Bug Fixes
- Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
- You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
- Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
- Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
- c5:package:install CLI command: pass install options to install method (thanks mlocati)
Developer Updates
- Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
- Some removals of deprecated Core::make() code from the core.
- Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)