New Features
- Added Session Options Dashboard page that will allow administrators to configure many aspects of the session cookie.
Behavioral Improvements
- Added support for translation placeholders (thanks shahroq)
- Re-enabled connect to community for the marketplace; reworked to sidestep issues with browser cookie compatibility
- Add autocomplete=off to various password fields.
- "Index Search Engine - Updates" job should not re-index all entries (thanks hissy)
- Fix default formatting of datetime exports in express export csv (thanks deek87)
- Improvements to IP parsing for actions like allowlist/blocklist (thanks mlocati)
Bug Fixes
-
Fixed error when pages weren’t getting accurately set in the full page cache.
-
Fixes for errors/warning occurring with PHP 7.3 and 7.4 when "Consider warnings as errors" is set (thanks arielkamoyedji)
-
Additional dialogs within CKEditor link dialog (Sitemap, Browse Server) prevent further page scrolling even after being closed (thanks hissy)
-
Fix error attaching a Facebook account to a user profile (thanks biplobice)
-
Fixed disappearing survey and calendar event dialogs in some cases (thanks hissy)
-
Bug fixes on switching language using the Switch Language block (thanks biplobice)
-
Fixed inability to save channel logging settings on the Dashboard page (thanks Hmone23)
-
Fixed bug where layouts can’t be moved above blocks (thanks Haeflimi)
-
Fixed bug in the 8.5 file manager when selecting on single file in multi-file selector (thanks deek87)
-
Fix to show page drafts created by the current user (thanks hissy)
-
Fix user selector attribute being un-searchable (Note: you will have to recreate your attributes before they are properly searchable).
-
Bug fixes to search popup with pagination (thanks deek87, katz, hissy)
-
Fixed 403 Error in Page Defaults when using REDIS for Caching (thanks deek87)
Security Fixes
- Fixed Hackerone report 1102067, CVE-2021-40097: Authenticated path traversal to RCE by adding a regular expression
- Fixed Hackerone report 1102080, CVE-2021-40098: Path Traversal leading to RCE via external form by adding a regular expression
- Fixed Hackerone report 982130, CVE-2021-40099: RCE Vulnerability by making fetching the update json scheme from concrete5 to be over HTTPS (instead of HTTP)
- Fixed Hackerone report 616770, CVE-2021-40100: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
- Fixed Hackerone report 921288, CVE-2021-40102: Arbitrary File delete via PHAR deserialization
- Fixed Hackerone report 1063039, CVE-2021-36766: Security issues when allowing phar:// within the directory input field. (thanks deek87)
- Fixed Hackerone report 1102211, CVE-2021-40103: Path Traversal to Arbitrary File Reading and SSRF
- Fixed Hackerone report 1102088, CVE-2021-40104: SVG sanitizer bypass by swapping out the SVG sanitizer in the core with this third party library darylldoyle/svg-sanitizer
- Fixed Hackerone report 1102054, CVE-2021-40105: Fixed XSS vulnerability in the Markdown Editor class in the conversation options
- Fixed Hackerone report 1102042, CVE-2021-40106: Unauth stored xss in blog comments (website field)
- Fixed Hackerone report 1102020, CVE-2021-40107: Stored XSS in comment section/FileManger via "view_inline" option
- Fixed Hackerone report 1102018, CVE-2021-40108: Adjusted core so that ccm_token is verified on "/index.php/ccm/calendar/dialogs/event/add/save" endpoint
- Fixed Hackerone report 1102225 which was split into two CVEs: An attacker could duplicate topics and files which could possibly lead to UI inconvenience, and exhaustion of disk space.
For CVE-2021-22949: Added checking CSRF token when duplicating files in the File Manager.
For CVE-2021-22953: Added checking CSRF token when cloning topics in the sitemap. - Fixed Hackerone report 1102177, CVE-2021-22950: To fix CSRF in conversation attachment delete action, updated core to verify ccm_token when conversation attachments are deleted.
- Fixed Hackerone report 1102105, CVE-2021-40109: To fix a reported SSRF vulnerability, the core was updated to disable redirects on upload, add an http client method to send request without following redirects, and put in a number of url/IP protections (examples: blocked big Endian urls, blocked IP variants from importing, prevented importing from hexadecimal/octal/long IPs)
(Special thanks to Solar Security Research Team and Concrete CMS Japan)