.

. BSA HACKER
Server : Apache
System : Linux nusantara.hosteko.com 4.18.0-553.16.1.lve.el8.x86_64 #1 SMP Tue Aug 13 17:45:03 UTC 2024 x86_64
User : koperas1 ( 1254)
PHP Version : 7.4.33
Disable Function : NONE
Directory : /var/softaculous/conc8/
Upload File :
Current File : //var/softaculous/conc8/changelog.txt
9.3.4 Release Notes

New Features

    Added the ability to search pages by their cache settings in the advanced page search (thanks SashaMcr)

Behavioral Improvements

    Added Discord to Social Links (thanks RLHawk1)
    We now require the redirect URL when adding a new API integration (thanks mlocati)
    Canonical URL is now validated when saving (thanks hissy)

Bug Fixes

    Fixed some errors in the Add block dialog on the Stacks Dashboard page when running Concrete in strict mode (thanks mlocati)
    You can no longer choose Guest or Registered Users as groups to assign to users (which you shouldn’t have been able to do.)
    Fixed canonical URL sometimes not included a path to a subdirectory if the Concrete installation is in a subdirectory (thanks biplobice)
    Fixed: When selecting a topic to filter ExpressList, the previously selected topic remains (thanks hissy)
    c5:package:install CLI command: pass install options to install method (thanks mlocati)

Developer Updates

    Top Navigation Bar should work better on non-Bedrock themes (thanks RLHawk1)
    Some removals of deprecated Core::make() code from the core.
    Enhance c5:package:pack Command to Allow Flexible Output Path Without Requiring Zip File Name (thanks biplobice)

Security Updates

    Fixed CVE-2024-8291 Stored XSS in Image Editor Background Color by sanitizing output of "Save Background Image Colour" in file thumbnail dashboard single page with commit dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and commit 12183 for version 9. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting HackerOne 921527.

    Fixed CVE-2024-7398 Stored XSS Vulnerability in Calendar Event Addition Feature with commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 for version 8 and commits 12183 and 12184 for version 9. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting HackerOne 2400810.

    Fixed CVE-2024-8660 Stored XSS in in the "Top Navigator Bar" block with commit 12128. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix,a rogue admin could add a malicious payload. Since "Top Navigator Bar" output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. This does not affect Versons below 9 since they do not have the Top Navigation Bar Block. Thanks Chu Quoc Khanh for reporting HackerOne 2610205

    Fixed CVE-2024-8661 Stored XSS in the "Next&Previous Nav" block with commit 12204 for version 9 and with commit ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 for version 8. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting HackerOne 2610205
	
9.3.3 Release Notes

New Features

    There is now an Add Page button when editing a site in mobile view (thanks hissy)

Behavioral Improvements

    Improved installation speed.
    Viewing a Dashboard user search preset and exporting will now properly export just the users in those search results (thanks SashaMcr)
    Dialogs and panels do not burst out of small screens when editing on mobile devices (thanks hissy)
    Allow using "secure" cookies automatically for HTTPS requests (thanks mlocati)
    We now display the particular user that owns the writable directories on installation when checking that those directories are writable fails (thanks mlocati)
    The Express Form block now uses the email HTML input type for email addresses, enabling better validation (thanks bikerdave)
    Changed the hardcoded "items per page" to a configurable setting in the file chooser (thanks SashaMcr)
    Fixed: Indexes for text fields removed after refreshing entities (thanks mlocati)
    Improved suggested nginx rule for enabling pretty URLs (thanks mlocati)
    Switch name of Concrete Monolog Cascade package (thanks bikerdave)
    Better output sanitization in Top Navigation Bar block (thanks hissy)
    Added additional explanation to the version scheduling interface (thanks KnollElias)

Bug Fixes

    Fix: mobile editing menu hadn’t worked in version 9 (thanks hissy)
    Fixing error: The remote updater throws: "The directory %s already exists. Perhaps this item has already been installed." when attempting to run the remote updater.
    Updated verbiage on old featured theme and featured add-on Dashboard notification blocks, in case they’re installed on some older upgraded sites.
    Fixed error on some sites when accidentally including a malformed package in the packages/ directory (thanks mlocati)
    Fixed: Custom topic of page list block doesn't get saved (thanks hissy)
    Fixed: Calendar Events with Versions created by Deleted Users Cannot be Edited
    Fix type of "length" ORM annotation in SearchResult Health entity (thanks mlocati)
    Fixed possible errors when using the Switch Language block to switch languages (thanks biplobice)
    Fixed errors attempting to link over to the marketplace when the Concrete site in question does not have a public and private marketplace key (thanks pszostok)
    Fixed: Share this Page “Print” option does not work.
    Removed ID from X sharing service icon, because adding it to the page multiple times could cause W3C validation to complain (thanks quentinnorbert0)
    Fixed error where third party library zircote/swagger-php could block installation of Concrete in Composer installations.
    Fixed error related to lingering version block entries in the database persisting after they should be deleted under very specific circumstances (thanks bleenders)
    Fixed: Error thrown when trying to save user attribute under very specific circumstances (thanks mnakalay)
    Fixed: Foreign key constraint violation when deleting users associated with Board InstanceSlotRules

Developer Updates

    Translation library parsers can now be customized and extended (thanks mlocati)

Security Updates

    Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824

    Fixed CVE-2024-4353 Stored XSS in Generate Board Name Input Field commit 12151. Prior to the fix, the name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N and a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete versions below 9 are not affected by this vulnerability. Thanks fhAnso for reporting HackerOne 2597394
    Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288

    Fixed CVE-2024-7512 Stored XSS in Board instances by sanitizing instance names with commit https://github.com/concretecms/concretecms/pull/12151. Prior to the fix a rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected.Thanks m3dium for reporting HackerOne 2486344.

    Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824

    Concrete v.9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. Thanks Yusuke Uchida for reporting HackerOne 2399192.