Releases: concretecms/concretecms-core
Releases · concretecms/concretecms-core
9.4.1
Behavioral Improvements
- Correctly initialize HTTP client in FeedService so that it is a singleton (thanks mlocati)
- We now forget pages from the page index when they are moved to the trash.
- Improved performance when using the core translation library to extract strings from templates into .po files (thanks mlocati)
Bug Fixes
- Fixed: User without stack editing permissions can add blocks to global areas
- User without add stack permission can edit or delete blocks on global areas
- Fixed: new 9.4 OpenGraph feature doesn't escape characters in page name/descriptions (thanks mlocati)
- Concrete JS and CSS assets were not properly built in 9.4.0, leading to some display issues (buttons appearing in a slightly different styling, etc…) This has been fixed.
- The Gallery block displayed an error when being edited with the default Atomik sample content under PHP 8.4 and possibly under other conditions. This was due to an incompatible version of its JS dragging library being included. This has been fixed.
- Fixed: New 9.4.0 OpenGraph feature not compatible with SVG files
- The Gallery sample content in Atomik displayed extra slides under PHP 8.4 and possibly other conditions. This has been fixed.
Developer Updates
- Add new method to the Seo class and make the class properties protected from private (thanks biplobice)
9.4.0
New Features
- Significant Improvements to Error Handling, including the ability to map PHP error types to different behaviors, a cleaner debug error handling page, and more.
- Significant improvements to logging, including providing links over to user profile pages from logs, adding page identifiers to log messages, and much more.
- Atomik theme now has five new skins available.
- Improvements to task resiliency, including better logging of task errors, better display of errors in the command line, batch tasks will continue running even if one task in the batch fails.
- Added the ability to bulk set page caching settings in the Dashboard page search interface.
- Added the ability to bulk edit page type, page template and theme in the Dashboard page search interface.
- Dashboard and CMS now supports dark mode! Set light mode or dark mode globally, or use your OS settings.
- New Appearance Dashboard page (replaces Accessibility and includes existing Accessibility settings)
- Added support for Open Graph to the core; head to the Open Graph Dashboard page to configure which properties and attributes field data to Open Graph tags.
- Significant improvements to content import/export: added support for multilingual page mapping, additional page paths, external links and more (thanks mlocati)
- Added the ability to specify storage and whether to override existing items when importing config values (thanks mlocati)
- Added a Dashboard page allowing users to control which summary templates are available for which categories of content.
- Added the ability to view detailed logging information on a board instance level when troubleshooting board behaviors.
- Added “Total File Downloads” as an available column to the file manager (thanks SashaMcr)
- Add support for Bluesky to Social Links (thanks mlocati)
Behavioral Improvements
- Concrete is now tested to run under PHP 8.4.
- Boards will now automatically refresh and regenerate their contents when relevant content displayed in them is added or changed throughout the site.
- Much improved performance when working with external file storage locations like AWS S3.
- Added a new config value,
misc.img_src_absolutethat defaults to false. When set to true, absolute URLs will be used when serving assets from the file manager (useful when using the data in your site for other purposes like sending emails, etc..) (thanks mlocati) - Added the ability to include system pages in the Dashboard Page search.
- Update Languages Dashboard page now gives better feedback when updating languages (thanks mlocati)
- Accordion/FAQ/Image Slider/Survey: improvements and fixes to exporting/importing secondary tables (thanks mlocati)
- Made the “page publish start date” input field required when enabled, so that users don’t accidentally publish pages when not intending to do so (thanks bikerdave)
- Add condition on site tree ID for create multlingual url on single page when this page is in site tree (thanks 6tematik)
- We now specify the file download from the Document Library (thanks ounziw)
- Performance improvements when retrieving certain page data (thanks hissy)
- Date and time of scheduled tasks is now shown in a friendlier format (thanks hissy)
- Removing orphaned blocks will now no longer remove orphaned blocks from potentially unrelated pages, if those blocks had been shared via page defaults (not common) (thanks hissy)
- Performance improvement: Do not get style sets and global stacks repeatedly (thanks hissy)
- Performance improvements to the PageList class (thanks hissy)
- Gallery block record is now cacheable (thanks hissy)
- Admins can now add pages beneath system pages in the sitemap
- Do not throw an exception at the messenger backend when unauthorized (thanks ahukkanen)
- RSS Displayer Block now supports ATOM feeds.
- Improvement: accessibility for accessibility settings (thanks nratering)
- CONCRETE and CONCRETE_LOGIN now respect the
samesitesetting (thanks gutig) - Redirect in case express form submit happens without a valid Express Form in the Dashboard (thanks ahukkanen)
- Added a timeout to feed service so that malformed weird feeds can't hang the entire thing
- Block Types: allow exporting NULL, don't "abstract" zeroes on import/export (thanks mlocati)
- When importing stacks we first check to see if a stack path exists on the stack node, and fallback to stack name if it does not (thanks mlocati)
Bug Fixes
- Fixed error where RSS feeds that were set up to filter by a parent page would die if that parent page were put in the trash (thanks mlocati)
- Fix wrong arguments passed from Page\AddBlock dialog controller to the view (thanks mlocati)
- Fixed added "Creation of dynamic property" in the PageView class under certain conditions in PHP 8+ (thanks jgarc186)
- Miscellaneous PHP8 missing property bugs (thanks jgarc186)
- Fixed: Text Area User Attribute / Ckeditor not showing on edit profile when wrapped with custom theme
- Fixed inability to set separate active theme for sites from the theme Dashboard page when multisite was enabled.
- Fixed: Grid framework views are broken in some edge cases (thanks hissy)
- Fixed: Rename Express Object does not rename results folder name
- Fixed: When installing a Snippet using the CIF format in a package if you bump up the version of the package the Snippets attempt to install a second time and return an error
- Fixed issues selecting file manager folders when moving files under certain conditions (thanks hissy)
- Fixed bug where visiting a folder in the frontend file chooser and then deleting it in the file manager would render the frontend file chooser unusable.
- Fixed inconsistencies when adding, editing and removing multiple Express form set controls via the Dashboard UI.
- Fixed bug where certain kinds of select options could break the ability to run the Migration Tool exporter (thanks bitterdev)
- Fix AreaLayout::getByID() with an unexisting layout ID (thanks ahukkanen)
- Fixed bug in Concrete’s implementation of PHP Redis
- Fix rendering content block images with custom width or height under certain conditions (thanks mlocati)
- Fix issues with the search block and page list with unexpected parameters (thanks ahukkanen)
- Check attribute validation data is set before validation (thanks ahukkanen)
- Fix error when retrieving theme grid layout name when theme does not support grid framework (thanks ahukkanen)
- Fix exporting aliases of deleted blocks (thanks mlocati)
- Fix file download stats issue when related page ID is out of range (thanks ahukkanen)
- Fix clicking on "sort by" labels while adding/editing a board (thanks mlocati)
- Fixed error when reindexing pages with certain Express blocks and attributes attached to them when the cache is disabled (thanks ahukkanen)
- Fixed error “Only variables should be passed by reference” on user notifications page under PHP strict mode (thanks jgarc186)
- Fix: PHP 8 compatibility issue in legacy form submissions CSV export (thanks bitterdev)
- Fixed some small errors when importing stack content (thanks mlocati)
- Fix exporting page fields when page can't be found (thanks mlocati)
Developer Improvements
package-packcommand now excludes phpunit.xml and tests directory when preparing a package for distribution (thanks biplobice)- Added the ability to include json strings as config in Concrete import XML (thanks mlocati)
- When importing pages at paths that don’t exist, we now throw a specific exception that can be handled differently in different cases (thanks mlocati)
- Fixed bug where output from tasks would not appear in realtime, even if using Mercure.
- Content blocks that use
btExportContentColumnswill have their content properly exported without having to implement their own export and getImportData methods (thanks mlocati)
Security Updates
- Fixed CVE-2025-0660 Stored XSS in Folder Function by adding sanitation to the folder selector dropdown output with commit 11bef02 and by fixing folder deletion issues with commit 7c134e9 for version 9. The "Add Folder" functionality lacked input sanitization, allowing a rogue admin to inject XSS payloads as foldernames. The Concrete CMS security team gave this vulnerability a CVSS v4.0 score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting HackerOne 2941432.
- Fixed CVE-2025-3153 CSRF and XSS in the Concrete CMS Address attribute with commit 12511 for version 9 and with commit 12511 for version 8.5. Fixed unsanitized address custom attribute when rendering addresses unattached to a particular country. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for repo...
8.5.20
New Features
- Significant improvements to content import/export: added support for multilingual page mapping, additional page paths, external links and more (thanks mlocati)
- Disabled searching marketplace since marketplace supports 9+ (thanks mlocati)
Bug Fixes
- Fix exporting area layout column when area is null (thanks mlocati)
- Fixed some small errors when importing stack content (thanks mlocati)
- Fix exporting page fields when page can't be found (thanks mlocati)
Security Updates
- Safer storage of API keys on Windows (not necessary for Concrete CMS v9+, see more information here concretecms/concretecms#11859) (thanks mlocati)
- Fixed unsanitized address custom attribute when rendering addresses unattached to a particular country.
Developer Updates
Page::getByPathcan now except a as well as a site tree and return all pages in all multilingual site trees therein (thanks mlocati)- When importing pages at paths that don’t exist, we now throw a specific exception that can be handled differently in different cases (thanks mlocati)
9.3.9
New Features
- Add options to get author name/email to Attribute Display block (thanks JohnTheFish)
Behavioral Improvements
- When you command-click (Mac), control-click (Windows) or middle-click your mouse button on Dashboard search tables, the links will now open in a new tab or window.
- We now rescan the pagetheme custom class when clearing the cache – this can help if you are actively developing a theme and accidentally install it before defining your theme’s custom class file.
- Multilingual stack dropdowns are now more visible and accessible (thanks mlocati)
- If you write custom code that filters a user list by a nonexistent group name, we now throw a proper exception that should point you in the right direction.
- Improve conversation captcha failure message (thanks JohnTheFish)
Bug Fixes
- Fixed error where the “Remove Orphaned Blocks” functionality did not work.
- Fixed bug where you could improperly create a topics attribute without a selected top level node, leading to errors when selecting topics in Composer or on the page.
- Avoid Undefined array key "optionID" exception in survey block in PHP8 (thanks biplobice)
- Removed broken poll/survey pie chart image from survey block view and Dashboard results pages.
- Fix memory allocation issue with thumbnail generation and Imagick (thanks ahukkanen)
Developer Updates
- Cleaned up old code in Page List block (thanks biplobice)
9.3.8
Behavioral Improvements
- We now check whether
is_featuredis an event or page attribute and that it’s indexed properly before allowing you to filter the Event List or Page List blocks (thanks mlocati, ccmEnlil) - When editing a locale-specific Stack in a multilingual website, we will now show that stack as a new segment in the breadcrumb (thanks mlocati)
Bug Fixes
- Fixed incorrect site tree being set when adding external links under a different multilingual site tree than the root (thanks mlocati)
- Fix invalid permission key to solve error on update files via REST API (thanks hissy, mlocati)
- Fixed error when importing files from the incoming directory f you have a subfolder or file with no suffix under application/files/incoming under PHP 8 (thanks mlocati)
- Fixed incorrect stack being returned when referencing stack by name but a multilingual-specific version of the stack exists (thanks mlocati, SvanteArvedson)
- Fixed: Fixed width and height for images in CkEditor doesn't work (thanks mlocati)
- Fixed: Document Library - Sorting does not work within Subfolders
- Fix exporting area layout column when area is null (thanks mlocati)
- Fixed error that could occur if you returned null when implementing your own entity manager entity location registries in your package controller (thanks JohnTheFish)
- Fixed inability to customize a board slot.
Developer Updates
- You can now specify package-specific options when installing packages in CIF XML (thanks mlocati)
- API improvements to the StackList object (thanks mlocati)
Page::getByPathcan now except a as well as a site tree and return all pages in all multilingual site trees therein (thanks mlocati)- Added
getExternalProfileURLto the External Concrete authentication method controller (thanks mlocati)
9.3.7
9.3.6
New Features
- Added the ability to specify a custom filename pattern for downloading files from the file manager. Available placeholders are
{title},{extension}and{filename}(thanks SashaMcr) - Added the ability to set the default file manager column and sort order (thanks SashaMcr)
Behavioral Improvements
- CSV Export of Users now uses the “DateTime Format” for CSV options as defined in the Dashboard (thanks SashaMcr)
- Added width/height to image slider (thanks ajenkins-dev)
- Improved and refactored RSS displayer controller and view code (thanks SvanteArvedson)
- Improved performance of the Express Entry List block (thanks hissy)
- Miscellaneous performance improvements (thanks hissy)
- Fixed: Security Headers are not set when the full page is cached (thanks marcokuoni)
- Added more useful information to the Environment Information report (thanks JohnTheFish)
- Added more useful information about Block Types to the Block Types Dashboard page (thanks JohnTheFish)
Bug Fixes
- When a page is re-edited, topics in the child level of the topic attribute disappear (thanks hissy)
- Re-instate Dorset as an English County (thanks ajenkins-dev)
- Fixed: RSS displayer view function duplicates the received RSS posts (thanks SvanteArvedson)
- Fixed bug where custom styles applied to the Main area on a page would cascade into any stacks that were placed using the editor on the page.
- Fixed: Atomik documentation creation dies when not installed with full content
- Fixed: Fix: top navigation bar shows unapproved version of pages (thanks hissy)
- Fixed bug when editing an Express object with a results folder that was deleted (thanks dimger)
- Fix Accordion controller.php to allow pretty URLs in description field (thanks jbender0)
- Fix login with OAuth when there are attributes to be fulfilled (thanks mlocati)
- Fixed situation where choosing to filter a page list by a topic category didn’t work (only topics worked) (thanks hissy)
- Fixed bug where CMS UI tooltips weren’t displaying properly in non-Bedrock themes.
- Fixed: "Uploaded" header is active when I open a Choose File modal, but "Name" should be active instead (thanks hissy)
- Fixed error private messages mailbox if a message is received from a user who has been deleted (thanks wtflm)
- Fixed: Topics Filter UI Element in Event List Block does not re-populate properly.
9.3.5
New Features
- Added a Dashboard page for “File Chooser Options” on which you can configure the file chooser tab you want to be the default (thanks Mesuva)
- Added a new checkbox to enable “hreflang” on multilingual websites to the Multilingual Setup page (thanks leal-k)
Behavioral Improvements
- Replaced some uses of “concrete5” with Concrete throughout the codebase (thanks mlocati)
- Added width and height attributes to the image block and to some image thumbnails in order to reduce layout shift on load (thanks katalysis)
Bug Fixes
- Fixed some bugs that could occur when saving topic and Express attribute types (thanks alecbiela)
- Fixed issue where Auto-Nav and Express Form blocks couldn’t be edited or previewed reliably in global areas.
- Checkbox for Exclude from Nav attributes are now translated properly (thanks leal-k)
- Fixed bug where the “Schedule” button in the composer page schedule dialog did nothing.
- Fixed bug in Top Navigation Bar block where clicking on items with sub-pages would not take you to the page.
- Fixed bug where block help dialog was not shown in Firefox (thanks alecbiela)
- Fixed: Unsetting form redirect destination throws error
- Fixed: Incorrect variable name in Youtube block
- Fix typo in DeleteGroupCommandHandler.php (thanks mlocati)
- Fixed: Cannot remove email notification from Form Block (thanks lea-k)
- Fixed: Swagger interactive API console fails to update page except for Super-admin
- Fixed bug in topic attribute export if no value was set (thanks RLHawk1)
Developer Updates
- Add Support for Javascript "module" and "importmap" types to the Asset System (thanks alecbiela)
- Improved output of the LatestMigrationTest unit test (thanks mlocati)
- Tweaks to API documentation (thanks dimger)
- List pages and view page children API methods now require
canViewPagepermission instead ofcanViewPageInSitemap.
9.3.4
New Features
- Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)
Behavioral Improvements
- Added Discord to Social Links (thanks RLHawk1)
- We now require the redirect URL when adding a new API integration (thanks mlocati)
- Canonical URL is now validated when saving (thanks hissy)
Bug Fixes
- Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
- You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
- Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
- Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
- c5:package:install CLI command: pass install options to install method (thanks mlocati)
Developer Updates
- Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
- Some removals of deprecated
Core::make()code from the core. - Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)
Security Updates
-
Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183
for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527. -
Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.
-
Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
-
Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
9.3.2
Bug Fixes
- Fixed errors where copying a package after downloading it from the marketplace would throw an error under certain conditions.
- Moving a stack from Orphan Blocks into the page 500 (thanks JohnTheFish)
- Fixed: Stacks, Containers and Scrapbook blocks makes longer block cache than block cache setting (thanks hissy)
- Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy)
- Fixed error when using workflow under certain conditions in PHP 8+ (thanks pszostok)
- Fixed: If you use advanced log configuration to set your own logger for Channels::META_CHANNEL_ALL, this logger gets applied to all core channels. Therefore you cannot set this at the same time as customising a specific core channel (thanks bikerdave)
Developer Updates
Updated scssphp/scssphp to a newer version, tweaking some output of the theme customizer (thanks mlocati)