Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29933: cms/CHANGELOG.md at develop · craftcms/cms

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account’s password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor’s position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

CVE
#sql#web#mac#amazon#js#java#php#perl#auth#postgres#sap

Permalink

Release Notes for Craft CMS 4****Unreleased****Fixed

  • Fixed an error that occurred when searching for elements by a custom field. (#11120)

4.0.1 - 2022-05-06****Fixed

  • Fixed a bug where Money field labels’ for attributes weren’t referencing the correct input ID. (#11016)
  • Fixed a bug where Money field inputs weren’t getting aria-describedby attributes. (#11016)
  • Fixed an error that occurred when loading an edit screen for an element type that didn’t have a field layout. (#11110)
  • Fixed a bug where condition rules they weren’t selectable (per isSelectable()) were still visible in the rule dropdown menu. (#11104)
  • Fixed a bug where element edit pages could reload themselves immediately after saving the element. (#11084)
  • Fixed a bug where tabs weren’t interactive after changing an entry’s type. (#11093)
  • Fixed a bug where Twig syntax errors weren’t being handled properly. (#11108)

4.0.0.1 - 2022-05-04****Changed

  • The setup command now writes the application ID to a CRAFT_APP_ID environment variable.
  • The setup command now writes the security key to a CRAFT_SECURITY_KEY environment variable.

4.0.0 - 2022-05-04****Added

  • Entries’, categories’, and assets’ edit pages, and all element types via slideouts, now use a unified editing experience. (#10467)
  • Categories now support drafts. (#10467)
  • Element slideouts now support provisional drafts and autosaving, for element types that support them. (#10467)
  • Element indexes can now be filtered by element attributes and custom field values. (#9192, #9450, #9462, #9483)
  • Admins can now create custom element sources from the Customize Sources modal. (#8423)
  • It’s now possible to disable native element sources from the Customize Sources modal. (#10676)
  • Field layout tabs, fields, and UI elements can now be conditionally shown based on properties of the current user and/or element being edited. (#8099, #8154)
  • Assets, Entries, and Users fields have new condition settings that can be used to further limit which elements should be relatable, beyond the existing field settings. (#10393)
  • Assets, Entries, and Users fields have new “Min Relations” settings, and their former “Limit” settings have been renamed to “Max Relations”. (#8621)
  • Added a dedicated “Full Name” field to users. “First Name” and “Last Name” are now parsed out from the full name automatically when a user is saved. (#10405)
  • Added the “Inactive” user status, which can be used by users which can’t be signed into. (#8963)
  • Added “Credentialed” and “Inactive” user sources.
  • Added the “Deactivate…” user action for pending and active users.
  • Users can now have an “Addresses” field. (#10507)
  • Added the concept of “filesystems”, which handle file operations, either locally or on a remote service like Amazon S3.
  • It’s now possible to set sites’ Status settings to environment variables. (#3005)
  • Added the Money field type.
  • Craft now provides a native “Alternative Text” (alt) field for assets. (#10302)
  • Asset thumbnails in the control panel now have alt attributes, for assets with a filled-in Alternative Text value.
  • Added the index-assets/cleanup command.
  • Added the “Deactivate users by default” user registration setting, which replaces “Suspend users by default”. (#5830)
  • Element source settings are now stored in the project config. (#8616)
  • Improved element index accessibility. (#10629, #10660)
  • Improved Live Preview accessibility for screen readers. (#10688)
  • Slideouts, Live Preview, and Matrix blocks are no longer animated for browsers that have requested reduced motion. (#10665)
  • Added support for JSON columns. (#9089)
  • It’s now possible to edit images’ focal points from their preview modals. (#8489)
  • Added support for Monolog and the PSR-3 logging interface. (#10659)
  • Added the |address Twig filter.
  • Added the |money Twig filter.
  • Added the collect() Twig function.
  • Added the assetUploaders, authors, and fullName user query params.
  • Added the primaryOwner and primaryOwnerId Matrix block query params.
  • Added the hasAlt asset query param.
  • Added the button, submitButton, fs, fsField, volume, and volumeField macros to the _includes/forms control panel template.
  • Added the buildId general config. (#10705)
  • Added support for setting custom config settings from config/custom.php, which are accessible via Craft::$app->config->custom. (#10012)
  • Added the addresses, address, and addressCount GraphQL queries.
  • Added the hasAlt argument to asset GraphQL queries.
  • Added the alt field to assets queried via GraphQL.
  • Added the fullName, assetUploaders, and authors arguments to user GraphQL queries.
  • Added the addresses field to user GraphQL queries.
  • GraphQL schemas now include settings that determine which sites elements can be queried from. (#10610)
  • Added the assets/icon action.
  • Added the assets/update-focal-point action.
  • Added the categories/create action.
  • Added the elements/apply-draft action.
  • Added the elements/create action.
  • Added the elements/delete-draft action.
  • Added the elements/delete-for-site action.
  • Added the elements/delete action.
  • Added the elements/duplicate action.
  • Added the elements/edit action.
  • Added the elements/redirect action.
  • Added the elements/revert action.
  • Added the elements/save-draft action.
  • Added the elements/save action.
  • Added the users/delete-address action.
  • Added the users/save-address action.
  • Added the app/render-element control panel controller action.
  • Added the element-indexes/element-table-html control panel controller action.
  • Added craft\base\ApplicationTrait::getConditions().
  • Added craft\base\ApplicationTrait::getElementSources(), which replaces getElementIndexes().
  • Added craft\base\ApplicationTrait::getFs().
  • Added craft\base\ApplicationTrait::getImageTransforms(), which replaces getAssetTransforms().
  • Added craft\base\conditions\BaseCondition.
  • Added craft\base\conditions\BaseConditionRule.
  • Added craft\base\conditions\BaseDateRangeConditionRule.
  • Added craft\base\conditions\BaseElementSelectConditionRule.
  • Added craft\base\conditions\BaseLightswitchConditionRule.
  • Added craft\base\conditions\BaseMultiSelectConditionRule.
  • Added craft\base\conditions\BaseNumberConditionRule.
  • Added craft\base\conditions\BaseSelectConditionRule.
  • Added craft\base\conditions\BaseTextConditionRule.
  • Added craft\base\conditions\ConditionInterface.
  • Added craft\base\conditions\ConditionRuleInterface.
  • Added craft\base\Element::EVENT_AUTHORIZE_CREATE_DRAFTS.
  • Added craft\base\Element::EVENT_AUTHORIZE_DELETE_FOR_SITE.
  • Added craft\base\Element::EVENT_AUTHORIZE_DELETE.
  • Added craft\base\Element::EVENT_AUTHORIZE_DUPLICATE.
  • Added craft\base\Element::EVENT_AUTHORIZE_SAVE.
  • Added craft\base\Element::EVENT_AUTHORIZE_VIEW.
  • Added craft\base\Element::EVENT_DEFINE_ADDITIONAL_BUTTONS. (#10420)
  • Added craft\base\Element::getParentId().
  • Added craft\base\Element::hasNewParent().
  • Added craft\base\Element::notesFieldHtml().
  • Added craft\base\Element::setParentId().
  • Added craft\base\Element::statusFieldHtml().
  • Added craft\base\ElementInterface::canCreateDrafts().
  • Added craft\base\ElementInterface::canDelete().
  • Added craft\base\ElementInterface::canDeleteForSite().
  • Added craft\base\ElementInterface::canDuplicate().
  • Added craft\base\ElementInterface::canSave().
  • Added craft\base\ElementInterface::canView().
  • Added craft\base\ElementInterface::createAnother().
  • Added craft\base\ElementInterface::createCondition().
  • Added craft\base\ElementInterface::getAdditionalButtons().
  • Added craft\base\ElementInterface::getPostEditUrl().
  • Added craft\base\ElementInterface::getThumbAlt().
  • Added craft\base\ElementInterface::hasRevisions().
  • Added craft\base\ElementInterface::prepareEditScreen().
  • Added craft\base\FieldInterface::getElementConditionRuleType().
  • Added craft\base\FieldInterface::isRequirable().
  • Added craft\base\FieldLayoutComponent.
  • Added craft\base\Fs.
  • Added craft\base\FsInterface.
  • Added craft\base\FsTrait.
  • Added craft\base\Image::heartbeat().
  • Added craft\base\Image::setHeartbeatCallback().
  • Added craft\base\imagetransforms\EagerImageTransformerInterface.
  • Added craft\base\imagetransforms\ImageEditorTransformerInterface.
  • Added craft\base\imagetransforms\ImageTransformerInterface.
  • Added craft\base\LocalFsInterface.
  • Added craft\base\Model::defineBehaviors(). (#10691)
  • Added craft\base\ModelInterface.
  • Added craft\base\NameTrait.
  • Added craft\base\PluginInterface::config(). (#11039)
  • Added craft\behaviors\SessionBehavior::broadcastToJs().
  • Added craft\behaviors\SessionBehavior::getError().
  • Added craft\behaviors\SessionBehavior::getNotice().
  • Added craft\controllers\AddressesController.
  • Added craft\controllers\AssetIndexesController.
  • Added craft\controllers\ConditionsController.
  • Added craft\controllers\ElementIndexesController::$condition.
  • Added craft\controllers\FsController.
  • Added craft\controllers\ImageTransformsController.
  • Added craft\db\Migration::archiveTableIfExists(). (#10827)
  • Added craft\db\Migration::dropAllForeignKeysToTable().
  • Added craft\db\Migration::dropForeignKeyIfExists().
  • Added craft\db\Migration::renameTable().
  • Added craft\db\Query::collect(), which returns the query results as an Illuminate\Support\Collection object rather than an array. (#8513)
  • Added craft\db\Table::ADDRESSES.
  • Added craft\db\Table::ASSETINDEXINGSESSIONS.
  • Added craft\db\Table::IMAGETRANSFORMINDEX.
  • Added craft\db\Table::IMAGETRANSFORMS.
  • Added craft\db\Table::MATRIXBLOCKS_OWNERS.
  • Added craft\debug\LogTarget.
  • Added craft\debug\MailPanel.
  • Added craft\elements\Address.
  • Added craft\elements\Asset::$alt.
  • Added craft\elements\Asset::EVENT_AFTER_GENERATE_TRANSFORM.
  • Added craft\elements\Asset::EVENT_BEFORE_GENERATE_TRANSFORM.
  • Added craft\elements\Asset::getFs().
  • Added craft\elements\Asset::setFilename().
  • Added craft\elements\conditions\addresses\AddressCondition.
  • Added craft\elements\conditions\addresses\CountryConditionRule.
  • Added craft\elements\conditions\assets\AssetCondition.
  • Added craft\elements\conditions\assets\DateModifiedConditionRule.
  • Added craft\elements\conditions\assets\FilenameConditionRule.
  • Added craft\elements\conditions\assets\FileSizeConditionRule.
  • Added craft\elements\conditions\assets\FileTypeConditionRule.
  • Added craft\elements\conditions\assets\HasAltConditionRule.
  • Added craft\elements\conditions\assets\HeightConditionRule.
  • Added craft\elements\conditions\assets\UploaderConditionRule.
  • Added craft\elements\conditions\assets\VolumeConditionRule.
  • Added craft\elements\conditions\assets\WidthConditionRule.
  • Added craft\elements\conditions\categories\CategoryCondition.
  • Added craft\elements\conditions\categories\GroupConditionRule.
  • Added craft\elements\conditions\DateCreatedConditionRule.
  • Added craft\elements\conditions\DateUpdatedConditionRule.
  • Added craft\elements\conditions\ElementCondition.
  • Added craft\elements\conditions\ElementConditionInterface.
  • Added craft\elements\conditions\ElementConditionRuleInterface.
  • Added craft\elements\conditions\entries\AuthorConditionRule.
  • Added craft\elements\conditions\entries\AuthorGroupConditionRule.
  • Added craft\elements\conditions\entries\EntryCondition.
  • Added craft\elements\conditions\entries\ExpiryDateConditionRule.
  • Added craft\elements\conditions\entries\PostDateConditionRule.
  • Added craft\elements\conditions\entries\SectionConditionRule.
  • Added craft\elements\conditions\entries\TypeConditionRule.
  • Added craft\elements\conditions\HasUrlConditionRule.
  • Added craft\elements\conditions\IdConditionRule.
  • Added craft\elements\conditions\LevelConditionRule.
  • Added craft\elements\conditions\RelatedToConditionRule.
  • Added craft\elements\conditions\SlugConditionRule.
  • Added craft\elements\conditions\tags\GroupConditionRule.
  • Added craft\elements\conditions\tags\TagCondition.
  • Added craft\elements\conditions\TitleConditionRule.
  • Added craft\elements\conditions\UriConditionRule.
  • Added craft\elements\conditions\users\AdminConditionRule.
  • Added craft\elements\conditions\users\CredentialedConditionRule.
  • Added craft\elements\conditions\users\EmailConditionRule.
  • Added craft\elements\conditions\users\FirstNameConditionRule.
  • Added craft\elements\conditions\users\GroupConditionRule.
  • Added craft\elements\conditions\users\LastLoginDateConditionRule.
  • Added craft\elements\conditions\users\LastNameConditionRule.
  • Added craft\elements\conditions\users\UserCondition.
  • Added craft\elements\conditions\users\UsernameConditionRule.
  • Added craft\elements\db\AddressQuery.
  • Added craft\elements\MatrixBlock::$primaryOwnerId.
  • Added craft\elements\MatrixBlock::$saveOwnership.
  • Added craft\elements\User::$active.
  • Added craft\elements\User::$fullName.
  • Added craft\elements\User::canAssignUserGroups().
  • Added craft\elements\User::getAddresses().
  • Added craft\elements\User::getIsCredentialed().
  • Added craft\elements\User::STATUS_INACTIVE.
  • Added craft\errors\FsException.
  • Added craft\errors\FsObjectExistsException.
  • Added craft\errors\FsObjectNotFoundException.
  • Added craft\errors\ImageTransformException.
  • Added craft\errors\InvalidFsException.
  • Added craft\errors\MissingVolumeFolderException.
  • Added craft\events\AuthorizationCheckEvent.
  • Added craft\events\CreateElementCheckEvent.
  • Added craft\events\DefineElementEditorHtmlEvent.
  • Added craft\events\DefineElementInnerHtmlEvent. (#11035)
  • Added craft\events\DefineHtmlEvent::$static.
  • Added craft\events\FsEvent.
  • Added craft\events\GenerateTransformEvent::$asset.
  • Added craft\events\GenerateTransformEvent::$transform.
  • Added craft\events\GenerateTransformEvent::$url.
  • Added craft\events\ImageTransformerOperationEvent.
  • Added craft\events\ImageTransformEvent.
  • Added craft\events\RegisterConditionRuleTypesEvent.
  • Added craft\events\TransformImageEvent.
  • Added craft\fieldlayoutelements\addresses\AddressField.
  • Added craft\fieldlayoutelements\addresses\CountryCodeField.
  • Added craft\fieldlayoutelements\addresses\LabelField.
  • Added craft\fieldlayoutelements\addresses\LatLongField.
  • Added craft\fieldlayoutelements\addresses\OrganizationField.
  • Added craft\fieldlayoutelements\addresses\OrganizationTaxIdField.
  • Added craft\fieldlayoutelements\assets\AltField.
  • Added craft\fieldlayoutelements\BaseField::selectorLabel().
  • Added craft\fieldlayoutelements\FullNameField.
  • Added craft\fieldlayoutelements\TextareaField.
  • Added craft\fieldlayoutelements\users\AddressesField.
  • Added craft\fields\Assets::$allowSubfolders.
  • Added craft\fields\Assets::$restrictedDefaulUploadSubpath.
  • Added craft\fields\BaseRelationField::createSelectionCondition().
  • Added craft\fields\BaseRelationField::getSelectionCondition().
  • Added craft\fields\BaseRelationField::setSelectionCondition().
  • Added craft\fields\conditions\DateFieldConditionRule.
  • Added craft\fields\conditions\FieldConditionRuleInterface.
  • Added craft\fields\conditions\FieldConditionRuleTrait.
  • Added craft\fields\conditions\LightswitchFieldConditionRule.
  • Added craft\fields\conditions\NumberFieldConditionRule.
  • Added craft\fields\conditions\OptionsFieldConditionRule.
  • Added craft\fields\conditions\RelationalFieldConditionRule.
  • Added craft\fields\conditions\TextFieldConditionRule.
  • Added craft\fields\Money.
  • Added craft\fs\Local.
  • Added craft\fs\MissingFs.
  • Added craft\fs\Temp.
  • Added craft\gql\arguments\elements\Address.
  • Added craft\gql\base\SingularTypeInterface.
  • Added craft\gql\interfaces\elements\Address.
  • Added craft\gql\queries\Address.
  • Added craft\gql\resolvers\elements\Address.
  • Added craft\gql\TypeManager::registerFieldDefinitions().
  • Added craft\gql\types\elements\Address.
  • Added craft\gql\types\generators\AddressType.
  • Added craft\helpers\App::cliOption().
  • Added craft\helpers\App::devMode().
  • Added craft\helpers\App::envConfig(). (#10869)
  • Added craft\helpers\App::isStreamLog().
  • Added craft\helpers\App::normalizeValue().
  • Added craft\helpers\Assets::downloadFile().
  • Added craft\helpers\Assets::iconPath().
  • Added craft\helpers\Assets::iconUrl().
  • Added craft\helpers\Assets::revParams().
  • Added craft\helpers\Cp::addressCardHtml().
  • Added craft\helpers\Cp::addressCardsHtml().
  • Added craft\helpers\Cp::addressFieldsHtml().
  • Added craft\helpers\Cp::dateFieldHtml().
  • Added craft\helpers\Cp::dateHtml().
  • Added craft\helpers\Cp::elementSelectHtml().
  • Added craft\helpers\Cp::EVENT_DEFINE_ELEMENT_INNER_HTML. (#11035)
  • Added craft\helpers\Cp::fieldLayoutDesignerHtml().
  • Added craft\helpers\Cp::lightswitchHtml().
  • Added craft\helpers\Cp::multiSelectFieldHtml().
  • Added craft\helpers\Cp::multiSelectHtml().
  • Added craft\helpers\Cp::requestedSite().
  • Added craft\helpers\Cp::textareaHtml().
  • Added craft\helpers\Cp::textHtml().
  • Added craft\helpers\Cp::timeFieldHtml().
  • Added craft\helpers\Cp::timeHtml().
  • Added craft\helpers\Db::dropAllForeignKeysToTable().
  • Added craft\helpers\Db::dropForeignKeyIfExists().
  • Added craft\helpers\Db::dropIndexIfExists().
  • Added craft\helpers\Db::findForeignKey().
  • Added craft\helpers\Db::findIndex().
  • Added craft\helpers\Db::parseMoneyParam().
  • Added craft\helpers\Db::parseNumericParam().
  • Added craft\helpers\Db::prepareMoneyForDb().
  • Added craft\helpers\Db::renameTable().
  • Added craft\helpers\FileHelper::deleteFileAfterRequest().
  • Added craft\helpers\FileHelper::deleteQueuedFiles().
  • Added craft\helpers\Gql::getSchemaContainedEntryTypes)().
  • Added craft\helpers\Html::hiddenLabel().
  • Added craft\helpers\Html::unwrapCondition().
  • Added craft\helpers\Html::unwrapNoscript().
  • Added craft\helpers\ImageTransforms.
  • Added craft\helpers\Money.
  • Added craft\helpers\Number::isInt().
  • Added craft\helpers\Number::toIntOrFloat().
  • Added craft\helpers\ProjectConfig::encodeValueAsString().
  • Added craft\helpers\ProjectConfig::ensureAllSectionsProcessed().
  • Added craft\helpers\ProjectConfig::traverseDataArray().
  • Added craft\helpers\Typecast. (#10706)
  • Added craft\i18n\Translation.
  • Added craft\imagetransforms\ImageTransformer.
  • Added craft\log\ContextProcessor.
  • Added craft\log\Dispatcher::getTargets().
  • Added craft\log\MessageProcessor.
  • Added craft\log\MonologTarget.
  • Added craft\models\AssetIndexingSession.
  • Added craft\models\FieldLayout::getElementsByType().
  • Added craft\models\FieldLayout::getFirstElementByType().
  • Added craft\models\FieldLayout::getFirstVisibleElementByType().
  • Added craft\models\FieldLayout::getVisibleCustomFields().
  • Added craft\models\FieldLayout::getVisibleElementsByType().
  • Added craft\models\FieldLayoutElement::$uid.
  • Added craft\models\FieldLayoutElement::getLayout() and setLayout().
  • Added craft\models\FieldLayoutForm::getVisibleElements().
  • Added craft\models\FieldLayoutFormTab::getTabId().
  • Added craft\models\FieldLayoutFormTab::getUid().
  • Added craft\models\FieldLayoutTab::getElements() and setElements().
  • Added craft\models\FsListing.
  • Added craft\models\ImageTransform.
  • Added craft\models\ImageTransformIndex.
  • Added craft\models\ProjectConfigData.
  • Added craft\models\ReadOnlyProjectConfigData.
  • Added craft\models\Volume.
  • Added craft\queue\jobs\Proxy.
  • Added craft\queue\Queue::$proxyQueue, which can be set to another queue configuration that all jobs should be sent to as proxies. (#10999)
  • Added craft\records\Address.
  • Added craft\records\AssetIndexingSession.
  • Added craft\records\ImageTransform.
  • Added craft\services\Addresses.
  • Added craft\services\AssetIndexer::createIndexingSession().
  • Added craft\services\AssetIndexer::getExistingIndexingSessions().
  • Added craft\services\AssetIndexer::getIndexingSessionById().
  • Added craft\services\AssetIndexer::getMissingEntriesForSession().
  • Added craft\services\AssetIndexer::getSkippedItemsForSession().
  • Added craft\services\AssetIndexer::indexFileByListing().
  • Added craft\services\AssetIndexer::indexFolderByEntry().
  • Added craft\services\AssetIndexer::indexFolderByListing().
  • Added craft\services\AssetIndexer::processIndexSession().
  • Added craft\services\AssetIndexer::removeCliIndexingSessions().
  • Added craft\services\AssetIndexer::startIndexingSession().
  • Added craft\services\AssetIndexer::stopIndexingSession().
  • Added craft\services\Assets::getImagePreviewUrl().
  • Added craft\services\AssetTransforms::deleteTransformIndexDataByAssetIds().
  • Added craft\services\Conditions.
  • Added craft\services\Config::CATEGORY_CUSTOM.
  • Added craft\services\Config::getCustom().
  • Added craft\services\Drafts::removeDraftData().
  • Added craft\services\ElementSources, which replaces craft\services\ElementIndexes.
  • Added craft\services\Fields::createLayout().
  • Added craft\services\Fs.
  • Added craft\services\Gc::hardDeleteElements().
  • Added craft\services\Gc::removeEmptyTempFolders().
  • Added craft\services\Gql::prepareFieldDefinitions().
  • Added craft\services\ImageTransforms.
  • Added craft\services\Matrix::createRevisionBlocks().
  • Added craft\services\Matrix::duplicateOwnership().
  • Added craft\services\ProjectConfig::ASSOC_KEY.
  • Added craft\services\ProjectConfig::PATH_DATE_MODIFIED.
  • Added craft\services\ProjectConfig::PATH_ELEMENT_SOURCES.
  • Added craft\services\ProjectConfig::PATH_FS.
  • Added craft\services\ProjectConfig::PATH_META_NAMES.
  • Added craft\services\ProjectConfig::PATH_SCHEMA_VERSION.
  • Added craft\services\ProjectConfig::PATH_SYSTEM.
  • Added craft\services\ProjectConfig::rememberAppliedChanges().
  • Added craft\services\Users::deactivateUser().
  • Added craft\services\Users::ensureUserByEmail(), which will return a user for the given email, creating one if it didn’t exist yet.
  • Added craft\services\Users::EVENT_AFTER_DEACTIVATE_USER.
  • Added craft\services\Users::EVENT_BEFORE_DEACTIVATE_USER.
  • Added craft\services\Users::removeCredentials().
  • Added craft\services\Volumes::getTemporaryVolume().
  • Added craft\services\Volumes::getUserPhotoVolume().
  • Added craft\validators\MoneyValidator.
  • Added craft\web\assets\conditionbuilder\ConditionBuilderAsset.
  • Added craft\web\assets\htmx\HtmxAsset.
  • Added craft\web\assets\money\MoneyAsset.
  • Added craft\web\Controller::asCpScreen().
  • Added craft\web\Controller::asFailure().
  • Added craft\web\Controller::asModelFailure().
  • Added craft\web\Controller::asModelSuccess().
  • Added craft\web\Controller::asSuccess().
  • Added craft\web\Controller::CpScreenResponseBehavior().
  • Added craft\web\Controller::CpScreenResponseFormatter().
  • Added craft\web\Controller::getPostedRedirectUrl().
  • Added craft\web\Controller::TemplateResponseBehavior().
  • Added craft\web\Controller::TemplateResponseFormatter().
  • Added craft\web\twig\Extension::addressFilter().
  • Added craft\web\twig\Extension::moneyFilter().
  • Added craft\web\twig\variables\Cp::fieldLayoutDesigner().
  • Added craft\web\twig\variables\Cp::getFsOptions().
  • Added craft\web\twig\variables\Cp::getVolumeOptions().
  • Added craft\web\View::clearCssFileBuffer().
  • Added craft\web\View::clearJsFileBuffer().
  • Added craft\web\View::startCssFileBuffer().
  • Added craft\web\View::startJsFileBuffer().
  • Added the Craft.appendBodyHtml() JavaScript method, which replaces the now-deprecated appendFootHtml() method.
  • Added the Craft.CpScreenSlideout JavaScript class, which can be used to create slideouts from actions that return $this->asCpScreen().
  • Added the Craft.ElementEditor JavaScript class.
  • Added the Craft.ElementEditorSlideout JavaScript class.
  • Added the Craft.getPageUrl() JavaScript method.
  • Added the Craft.getQueryParam() JavaScript method.
  • Added the Craft.getQueryParams() JavaScript method.
  • Added the Craft.namespaceId() JavaScript method.
  • Added the Craft.namespaceInputName() JavaScript method.
  • Added the Craft.Preview.refresh() JavaScript method.
  • Added the Craft.Queue JavaScript class.
  • Added the Craft.setElementAttributes() JavaScript method.
  • Added the Craft.setPath() JavaScript method.
  • Added the Craft.setQueryParam() JavaScript method.
  • Added the Craft.setUrl() JavaScript method.
  • Added the Craft.ui.createButton() JavaScript method.
  • Added the Craft.ui.createSubmitButton() JavaScript method.
  • Added the htmx.org JavaScript library.
  • Added the commerceguys/addressing package.
  • Added the illuminate/collections package. (#8475)
  • Added the moneyphp/money package.
  • Added the symfony/var-dumper package.
  • Added the theiconic/name-parser package.
  • Added the yiisoft/yii2-symfonymailer package.

Changed

  • Craft now requires PHP 8.0.2 or later.
  • Craft now requires MySQL 5.7.8 / MariaDB 10.2.7 / PostgreSQL 10.0 or later.
  • Craft now requires the Intl and BCMath PHP extensions.
  • Improved draft creation/application performance. (#10577)
  • Improved revision creation performance. (#10589)
  • The “What’s New” HUD now displays an icon and label above each announcement, identifying where it came from (Craft CMS or a plugin). (#9747)
  • The control panel now keeps track of the currently-edited site on a per-tab basis by adding a site query string param to all control panel URLs. (#8920)
  • Element index pages’ status and sort menu option selections are now coded into the page URL via status and sort query string params. (#10669)
  • Users are no longer required to have a username or email.
  • Users can now set their Formatting Locale to any known locale; not just the available Language options. (#10519)
  • Users’ Language and Formatting Locale settings now display locale names in the current language and their native languages. (#10519)
  • User queries now return all users by default, rather than only active users.
  • Filtering users by active, pending, and locked statuses no longer excludes suspended users.
  • credentialed and inactive are now reserved user group handles.
  • Elements throughout the control panel are now automatically updated whenever they’re saved by another browser tab.
  • Assets fields that are restricted to a single location can now be configured to allow selection within subfolders of that location. (#9070)
  • When an image is saved as a new asset from the Image Editor via an Assets field, the Assets field will now automatically replace the selected asset with the new one. (#8974)
  • alt is now a reserved field handle for volume field layouts.
  • Volumes no longer have “types”, and their file operations are now delegated to a filesystem selected by an “Asset Filesystem” setting on the volume.
  • Volumes now have “Transform Filesystem” and “Transform Subpath” settings, which can be used to choose where image transforms should be stored. (The volume’s Asset Filesystem will be used by default.)
  • Asset thumbnails are now generated as image transforms.
  • It’s now possible to create volumes directly from the User Settings page.
  • Images that are not web-safe now are always converted to JPEGs when transforming, if no format was specified.
  • Entry post dates are no longer set automatically until the entry is validated with the live scenario. (#10093)
  • Entry queries’ authorGroup() param method now accepts an array of craft\models\UserGroup objects.
  • Element queries’ revision params can now be set to null to include normal and revision elements.
  • Element queries can no longer be traversed or accessed like an array. Use a query execution method such as all(), collect(), or one() to fetch the results before working with them.
  • Element queries’ title params no longer treat values with commas as arrays. (#10891)
  • User queries’ firstName and lastName params no longer treat values with commas as arrays. (#10891)
  • Relational fields now load elements in the current site rather than the primary site, if the source element isn’t localizable. (#7048)
  • Lightswitch fields can no longer be marked as required within field layouts. (#10773)
  • Built-in queue jobs are now always translated for the current user’s language. (#9745)
  • Path options passed to console commands (e.g. --basePath) now take precedence over their enivronment variable/PHP constant counterparts.
  • Database backups are now named after the Craft version in the database, rather than the Composer-installed version. (#9733)
  • Template autosuggestions now include their filename. (#9744)
  • Improved the look of loading spinners in the control panel. (#9109)
  • The default subLeft and subRight search query term options are now only applied to terms that don’t include an asterisk at the beginning/end, e.g. hello*. (#10613)
  • {% cache %} tags now store any external JavaScript or CSS files registered with {% js %} and {% css %} tags. (#9987)
  • All control panel templates end in .twig now. (#9743)
  • 404 requests are no longer logged by default. (#10659)
  • Log entries are now single-line by default when Dev Mode is disabled. (#10659)
  • Log files are now rotated once every 24 hours. (#10659)
  • CRAFT_STREAM_LOG no longer logs in addition to other log targets. (#10659)
  • The default log target no longer logs debug or info messages when Dev Mode is enabled. (#10916)
  • SQL query logs now use the debug log level, so they no longer get logged when Dev Mode is enabled. (#10916)
  • yii\db\Connection::$enableLogging and $enableProfiling are no longer enabled by default when Dev Mode is disabled. (#10916)
  • The queue log target no longer has special handling for Yii or info logs. (#10916)
  • A warning is now logged if an element query is executed before Craft is fully initialized. (#11033)
  • A warning is now logged if Twig is instantiated before Craft is fully initialized. (#11033)
  • Craft’s bootstrap script now attempts to create its configured system paths automatically. (#10562)
  • When using GraphQL to mutate entries, the enabled status is now affected on a per-site basis when specifying both the enabled and siteId parameters. (#9771)
  • The forms/selectize control panel template now supports addOptionFn and addOptionLabel params, which can be set to add new options to the list.
  • Editable tables now support allowAdd, allowDelete, and allowReorder settings, replacing staticRows. (#10163)
  • Column definitions passed to the _includes/forms/editableTable control panel template can now specify a width key. (#11062)
  • The limitField macro in the _components/fieldtypes/elementfieldsettings control panel template has been renamed to limitFields.
  • Renamed the elements/get-categories-input-html action to categories/input-html.
  • Renamed the elements/get-modal-body action to element-selector-modals/body.
  • The entries/save-entry action now returns a 400 HTTP status for JSON responses when the entry couldn’t be saved.
  • The users/save-user action no longer includes a unverifiedEmail key in failure responses.
  • The users/set-password action now returns a 400 HTTP status when an invalid token is passed, if there’s no URL to redirect to. (#10592)
  • install/, setup/, db/*, and help actions no longer output a warning if Craft can’t connect to the database. (#10851)
  • createFoldersInVolume:<uid> user permissions have been renamed to createFolders:<uid>.
  • deleteFilesAndFoldersInVolume:<uid> user permissions have been renamed to deleteAssets:<uid>.
  • deletePeerFilesInVolume:<uid> user permissions have been renamed to deletePeerAssets:<uid>.
  • editCategories:<uid> user permissions have been split into viewCategories:<uid>, saveCategories:<uid>, deleteCategories:<uid>, viewPeerCategoryDrafts:<uid>, savePeerCategoryDrafts:<uid>, and deletePeerCategoryDrafts:<uid>.
  • editEntries:<uid> user permissions have been renamed to viewEntries:<uid>.
  • editImagesInVolume:<uid> user permissions have been renamed to editImages:<uid>.
  • editPeerEntries:<uid> user permissions have been renamed to viewPeerEntries:<uid>.
  • editPeerEntryDrafts:<uid> user permissions have been split into viewPeerEntryDrafts:<uid> and savePeerEntryDrafts:<uid>.
  • editPeerFilesInVolume:<uid> user permissions have been renamed to savePeerAssets:<uid>.
  • editPeerImagesInVolume:<uid> user permissions have been renamed to editPeerImages:<uid>.
  • publishEntries:<uid> user permissions have been renamed to saveEntries:<uid>, and no longer differentiate between enabled and disabled entries. (Users with viewEntries:<uid> permissions will still be able to create drafts.)
  • publishPeerEntries:<uid> user permissions have been renamed to savePeerEntries:<uid>, and no longer differentiate between enabled and disabled entries. (Users with viewPeerEntries:<uid> permissions will still be able to create drafts.)
  • replaceFilesInVolume:<uid> user permissions have been renamed to replaceFiles:<uid>.
  • replacePeerFilesInVolume:<uid> user permissions have been renamed to replacePeerFiles:<uid>.
  • saveAssetInVolume:<uid> user permissions have been renamed to saveAssets:<uid>.
  • viewPeerFilesInVolume:<uid> user permissions have been renamed to viewPeerAssets:<uid>.
  • viewVolume:<uid> user permissions have been renamed to viewAssets:<uid>.
  • Elements’ searchScore GraphQL fields are now returned as integers.
  • Element types must now override craft\base\Element::isDeletable() if its elements should be deletable from the index page.
  • Element types’ cpEditUrl() methods no longer need to add a site param; one will be added automatically by craft\base\Element::getCpEditUrl().
  • Element types’ defineActions() methods’ $source arguments should no longer accept null.
  • Element types’ defineSources() methods’ $context arguments should no longer accept null.
  • Element types’ getHtmlAttributes() and htmlAttributes() methods must now return attribute arrays that are compatible with craft\helpers\Html::renderTagAttributes().
  • Element types’ sources() methods’ $context arguments should no longer accept null.
  • Element types’ tableAttributes() and defineTableAttributes() methods should no longer return a generic attribute for defining the header column heading at the beginning of the returned array. The header column heading is now set to the element type’s display name, per its displayName() method.
  • Block element types’ getOwner() methods can now return null.
  • Control panel resource locations are now cached, so resource requests can be resolved when Craft isn’t installed yet, or a database connection can’t be established. (#10642)
  • Control panel resources are now served with cache headers, if the buildId config setting is set. (#10705)
  • Empty subfolders within the temporary upload volume are now removed during garbage collection. (#10746)
  • Most config settings can now be overridden via environment variables. (#10573, #10869)
  • It’s now possible to configure the Debug Toolbar to store its data files on a filesystem, rather than within storage/runtime/debug/. (#10825)
  • craft\base\AssetPreviewHandlerInterface::getPreviewHtml() now accepts an optional array of variable to pass on to the template.
  • craft\base\Element::__get() now clones custom field values before returning them. (#8781)
  • craft\base\Element::fieldLayoutFields() now has a visibleOnly argument.
  • craft\base\Element::getFieldValue() now returns eager-loaded element values for the field, when they exist. (#10047)
  • craft\base\Element::metaFieldsHtml() now has a static argument.
  • craft\base\Element::setFieldValue() now unsets any previously-eager-loaded elements for the field. (#11003)
  • craft\base\Element::slugFieldHtml() now has a static argument.
  • craft\base\ElementInterface::getEagerLoadedElements() now returns an Illuminate\Support\Collection object instead of an array. (#8513)
  • craft\base\ElementInterface::getSidebarHtml() now has a static argument.
  • craft\base\MemoizableArray no longer extends ArrayObject, and now implements IteratorAggregate and Countable directly.
  • craft\base\Model::__construct() and setAttributes() now automatically typecast values that map to properties with int, float, int|float, string, bool, array, or DateTime type declarations. (#10706)
  • craft\base\Model::datetimeAttributes() is now called from the constructor, instead of the init() method.
  • craft\base\Model::setAttributes() now normalizes date attributes into DateTime objects.
  • craft\behaviors\FieldLayoutBehavior::getFields() has been renamed to getCustomFields().
  • craft\elements\Asset::getImg() now sets the alt attribute to the native Alternative Text field value, if set.
  • craft\elements\Asset::getVolume() now returns an instance of craft\models\Volume.
  • craft\elements\db\ElementQuery::ids() no longer accepts an array of criteria params.
  • craft\events\DraftEvent::$source has been renamed to $canonical.
  • craft\events\GetAssetThumbUrlEvent has been renamed to DefineAssetThumbUrlEvent.
  • craft\events\GetAssetUrlEvent has been renamed to DefineAssetUrlEvent.
  • craft\events\RevisionEvent::$source has been renamed to $canonical.
  • craft\fieldlayoutelements\AssetTitleField has been renamed to craft\fieldlayoutelements\assets\AssetTitleField.
  • craft\fieldlayoutelements\EntryTitleField has been renamed to craft\fieldlayoutelements\entries\EntryTitleField.
  • craft\fieldlayoutelements\StandardField has been renamed to craft\fieldlayoutelements\BaseNativeField.
  • craft\fieldlayoutelements\StandardTextField has been renamed to craft\fieldlayoutelements\TextField.
  • craft\fields\Assets::$singleUploadLocationSource has been renamed to $restrictedLocationSource.
  • craft\fields\Assets::$singleUploadLocationSubpath has been renamed to $restrictedLocationSubpath.
  • craft\fields\Assets::$useSingleFolder has been renamed to $restrictLocation.
  • craft\fields\BaseRelationField::$limit has been renamed to $maxRelations.
  • craft\fields\BaseRelationField::elementType() is now public.
  • craft\fields\BaseRelationField::inputSelectionCriteria() has been renamed to getInputSelectionCriteria(), and is now public.
  • craft\fields\BaseRelationField::inputSources() has been renamed to getInputSources(), and is now public.
  • craft\gql\directives\FormatDateTime::defaultTimezone() has been renamed to defaultTimeZone().
  • craft\gql\TypeManager::EVENT_DEFINE_GQL_TYPE_FIELDS is now triggered when actually resolving fields for a GraphQL type, rather than when the type is first created. (#9626)
  • craft\helpers\App::env() now checks for a PHP constant as well, if the environment variable didn’t exist.
  • craft\helpers\App::env() now returns null if a value couldn’t be found, rather than false.
  • craft\helpers\App::env() now returns a boolean if the original value was ‘true’ or 'false’.
  • craft\helpers\App::env() now returns an integer or float if the original value was numeric.
  • craft\helpers\ArrayHelper::getValue() now supports keys in square bracket syntax, e.g. foo[bar][baz].
  • craft\helpers\Assets::generateUrl() no longer accepts a transform index for date modified comparisons. A DateTime object is expected instead.
  • craft\helpers\Assets::urlAppendix() no longer accepts a transform index for date modified comparisons. A DateTime object is expected instead.
  • craft\helpers\Component::createComponent() now automatically typecasts values that map to properties with int, float, int|float, string, bool, array, or DateTime type declarations. (#10706)
  • craft\helpers\Cp::elementHtml() now has an $autoReload argument.
  • craft\helpers\Db::batchInsert(), craft\helpers\Db::insert(), craft\db\Command::batchInsert(), craft\db\Command::insert(), craft\db\Migration::batchInsert(), and craft\db\Migration::insert() no longer have $includeAuditColumns arguments, and now check if the table has dateCreated, dateUpdated, and/or uid columns before setting their values.
  • craft\helpers\Db::parseParam() now validates that numeric values are passed if the $columnType is set to a numeric column type. (#9142)
  • craft\helpers\Db::prepareDateForDb() no longer has a $stripSeconds argument.
  • craft\helpers\Db::prepareValueForDb() now has a $columnType argument.
  • craft\helpers\Db::truncateTable() now returns void rather than int.
  • craft\helpers\Db::update(), craft\helpers\Db::upsert(), craft\db\Command::update(), craft\db\Command::upsert(), craft\db\Migration::update()’ and craft\db\Migration::upsert()’ $includeAuditColumns arguments have been renamed to $updateTimestamp, and only affect the dateCreated column now. All upserts now check if the table has dateCreated, dateUpdated, and/or uid columns before setting their values.
  • craft\helpers\Db::upsert(), craft\db\Command::upsert(), and craft\db\Migration() no longer merge the $updateColumns array into $insertColumns. The full array of INSERT column values should be passed to $insertColumns now.
  • craft\helpers\Gql::getUnionType() no longer requires a resolver function to be passed, if the union contains only element GraphQL types.
  • craft\helpers\Html::beginForm() not sets accept-charset="UTF-8" by default.
  • craft\helpers\Html now supports defining hx-* and data-hx-* attributes via a hx and data-hx keys, similar to aria and data.
  • craft\helpers\i18n\Formatter::asPercent() now chooses a default $decimals value based on the value given, if null.
  • craft\helpers\i18n\Formatter::asPercent() now treats all empty values as 0.
  • craft\helpers\MailerHelper::normalizeEmails() now returns an empty array instead of null.
  • craft\helpers\MigrationHelper::dropAllIndexesOnTable() no longer returns an array of the dropped indexes.
  • craft\helpers\Queue::push() now has a $queue argument.
  • craft\models\FieldLayout::EVENT_DEFINE_STANDARD_FIELDS has been renamed to EVENT_DEFINE_NATIVE_FIELDS.
  • craft\models\FieldLayout::getAvailableStandardFields() has been renamed to getAvailableNativeFields().
  • craft\models\FieldLayout::getFields() has been renamed to getCustomFields().
  • craft\queue\Queue::$channel is now set automatically based on the queue’s application component ID.
  • craft\services\Announcements::push() no longer accepts callables to be passed to the $heading and $body arguments. craft\i18n\Translation::prep() should be used to prepare the messages to be lazy-translated instead.
  • craft\services\AssetIndexer::storeIndexList() now expects the first argument to be a generator that returns craft\models\FsListing objects.
  • craft\services\Assets::ensureFolderByFullPathAndVolume() now returns a craft\models\VolumeFolder object rather than a folder ID.
  • craft\services\Assets::ensureTopFolder() now returns a craft\models\VolumeFolder object rather than a folder ID.
  • craft\services\Assets::EVENT_GET_ASSET_THUMB_URL has been renamed to EVENT_DEFINE_THUMB_URL.
  • craft\services\Assets::EVENT_GET_ASSET_URL has been moved to craft\elements\Asset::EVENT_DEFINE_URL.
  • craft\services\AssetTransforms::CONFIG_TRANSFORM_KEY has been moved to craft\services\ProjectConfig::PATH_IMAGE_TRANSFORMS.
  • craft\services\Categories::CONFIG_CATEGORYROUP_KEY has been moved to craft\services\ProjectConfig::PATH_CATEGORY_GROUPS.
  • craft\services\Fields::CONFIG_FIELDGROUP_KEY has been moved to craft\services\ProjectConfig::PATH_FIELD_GROUPS.
  • craft\services\Fields::CONFIG_FIELDS_KEY has been moved to craft\services\ProjectConfig::PATH_FIELDS.
  • craft\services\Globals::CONFIG_GLOBALSETS_KEY has been moved to craft\services\ProjectConfig::PATH_GLOBAL_SETS.
  • craft\services\Gql::CONFIG_GQL_KEY has been moved to craft\services\ProjectConfig::PATH_GRAPHQL.
  • craft\services\Gql::CONFIG_GQL_PUBLIC_TOKEN_KEY has been moved to craft\services\ProjectConfig::PATH_GRAPHQL_PUBLIC_TOKEN.
  • craft\services\Gql::CONFIG_GQL_SCHEMAS_KEY has been moved to craft\services\ProjectConfig::PATH_GRAPHQL_SCHEMAS.
  • craft\services\Matrix::CONFIG_BLOCKTYPE_KEY has been moved to craft\services\ProjectConfig::PATH_MATRIX_BLOCK_TYPES.
  • craft\services\Matrix::duplicateBlocks() now has a $deleteOtherBlocks argument.
  • craft\services\Plugins::CONFIG_PLUGINS_KEY has been moved to craft\services\ProjectConfig::PATH_PLUGINS.
  • craft\services\Plugins::doesPluginRequireDatabaseUpdate() has been renamed to isPluginUpdatePending().
  • craft\services\ProjectConfig::applyYamlChanges() has been renamed to applyExternalChanges().
  • craft\services\ProjectConfig::getDoesYamlExist() has been renamed to getDoesExternalConfigExist().
  • craft\services\ProjectConfig::getIsApplyingYamlChanges() has been renamed to getIsApplyingExternalChanges().
  • craft\services\ProjectConfig::set() now returns true or false depending on whether the project config was modified.
  • craft\services\Revisions::createRevision() now returns the ID of the revision, rather than the revision itself.
  • craft\services\Routes::CONFIG_ROUTES_KEY has been moved to craft\services\ProjectConfig::PATH_ROUTES.
  • craft\services\Sections::CONFIG_ENTRYTYPES_KEY has been moved to craft\services\ProjectConfig::PATH_ENTRY_TYPES.
  • craft\services\Sections::CONFIG_SECTIONS_KEY has been moved to craft\services\ProjectConfig::PATH_PATH_SECTIONS.
  • craft\services\Sites::CONFIG_SITEGROUP_KEY has been moved to craft\services\ProjectConfig::PATH_SITE_GROUPS.
  • craft\services\Sites::CONFIG_SITES_KEY has been moved to craft\services\ProjectConfig::PATH_SITES.
  • craft\services\Tags::CONFIG_TAGGROUP_KEY has been moved to craft\services\ProjectConfig::PATH_TAG_GROUPS.
  • craft\services\Updates::getIsCraftDbMigrationNeeded() has been renamed to getIsCraftUpdatePending().
  • craft\services\Updates::getIsPluginDbUpdateNeeded() has been renamed to getIsPluginUpdatePending().
  • craft\services\UserGroups::CONFIG_USERPGROUPS_KEY has been moved to craft\services\ProjectConfig::PATH_USER_GROUPS.
  • craft\services\UserPermissions::getAllPermissions() and getAssignablePermissions() now return permission groups as arrays with heading and permission sub-keys, fixing a bug where two groups with the same heading would conflict with each other. (#7771)
  • craft\services\Users::CONFIG_USERLAYOUT_KEY has been moved to craft\services\ProjectConfig::PATH_USER_FIELD_LAYOUTS.
  • craft\services\Users::CONFIG_USERS_KEY has been moved to craft\services\ProjectConfig::PATH_USERS.
  • craft\services\Volumes::CONFIG_VOLUME_KEY has been moved to craft\services\ProjectConfig::PATH_VOLUMES.
  • craft\test\fixtures\elements\BaseElementFixture now validates elements with the live scenario if they are enabled, canonical, and not a provisional draft.
  • craft\test\TestSetup::getMockApp() has been renamed to getMockModule(), and its $appClass argument has been renamed to $moduleClass.
  • craft\web\Request::getBodyParam() now accepts nested param names in the foo[bar][baz] format.
  • craft\web\Request::getBodyParams() and getBodyParam() now check for an X-Craft-Namespace header. If present, only params that begin with its value will be returned, excluding the namespace.
  • craft\web\View::renderString() now has an $escapeHtml argument.
  • craft\web\View::setNamespace()’ $namespace argument no longer has a default value of null.
  • The Craft.getUrl() JavaScript method now removes duplicate query string params when passing in a param that’s already included in the base URL.
  • The Craft.getUrl() JavaScript method now encodes any query string params passed to it.
  • Craft.broadcastChannel has been split up into two broadcast channels: Craft.broadcaster and Craft.messageReceiver.
  • Craft.cp.$tabs now returns a collection of the tabs’ <a> elements, as they no longer have wrapping <li> elements.
  • Local volumes no longer use Flysystem.
  • A selected volume for user photo storage if no longer displayed if no volume has been set.
  • The user photo volume can now only be set to a volume that has a public transform filesystem configured.
  • Craft now uses Symfony Mailer to send email. (#10062)
  • Updated Twig to 3.3.
  • Updated vue-autosuggest to 2.2.0.

Deprecated

  • Deprecated the autosaveDrafts config setting.
  • Deprecated the anyStatus element query param. status(null) should be used instead.
  • Deprecated the immediately argument for transforms created over GraphQL. It no longer has any effect.
  • Deprecated craft\base\ApplicationTrait::getInstalledSchemaVersion().
  • Deprecated craft\base\Model::datetimeAttributes(). (#10706)
  • Deprecated craft\elements\User::getFullName(). $fullName should be used instead.
  • Deprecated craft\gql\TypeManager::flush(). craft\services\Gql::flushCaches() should be used instead.
  • Deprecated craft\gql\TypeManager::prepareFieldDefinitions(). craft\services\Gql::prepareFieldDefinitions() should be used instead.
  • Deprecated craft\helpers\ArrayHelper::append(). array_unshift() should be used instead.
  • Deprecated craft\helpers\ArrayHelper::prepend(). array_push() should be used instead.
  • Deprecated craft\helpers\MigrationHelper.
  • Deprecated craft\i18n\I18N::getIsIntlLoaded().
  • Deprecated craft\services\Assets::getAssetUrl(). craft\elements\Asset::getUrl() should be used instead.
  • Deprecated craft\services\Assets::getIconPath(). craft\helpers\Assets::iconPath() should be used instead.
  • Deprecated craft\web\Controller::asErrorJson(). asFailure() should be used instead.
  • Deprecated the assets/save-asset action. elements/save should be used instead.
  • Deprecated the categories/save-category action. elements/save should be used instead.
  • Deprecated the Craft.appendFootHtml() JavaScript method. appendBodyHtml() should be used instead.

Removed

  • Removed the “Header Column Heading” element source setting.
  • Removed support for setting custom config settings from config/general.php. config/custom.php should be used instead. (#10012)
  • Removed the customAsciiCharMappings config setting.
  • Removed the siteName config setting. Environment-specific site names can be defined via environment variables.
  • Removed the siteUrl config setting. Environment-specific site URLs can be defined via environment variables.
  • Removed the suppressTemplateErrors config setting.
  • Removed the useCompressedJs config setting.
  • Removed the useProjectConfigFile config setting. Override craft\services\ProjectConfig::$writeYamlAutomatically to opt into manual YAML file generation.
  • Removed support for config/volumes.php. Volumes can now specify per-environment filesystems.
  • Removed support for the CRAFT_SITE_URL PHP constant. Environment-specific site URLs can be defined via environment variables.
  • Removed the enabledForSite GraphQL argument. status should be used instead.
  • Removed the {% includeHiResCss %} Twig tag.
  • Removed support for deprecated DateTime faux Twig methods atom(), cookie(), iso8601(), rfc822(), rfc850(), rfc1036(), rfc1123(), rfc2822(), rfc3339(), rss(), w3c(), w3cDate(), mySqlDateTime(), localeDate(), localeTime(), year(), month(), day(), nice(), and uiTimestamp().
  • Removed the locale element property. siteId should be used instead.
  • Removed the ownerLocale Matrix block query param. site or siteId should be used instead.
  • Removed support for sourceLocale in relatedTo element query params. sourceSite should be used instead.
  • Removed the craft.categoryGroups Twig variable.
  • Removed the craft.config Twig variable.
  • Removed the craft.deprecator Twig variable.
  • Removed the craft.elementIndexes Twig variable.
  • Removed the craft.emailMessages Twig variable.
  • Removed the craft.feeds Twig variable.
  • Removed the craft.fields Twig variable.
  • Removed the craft.globals Twig variable.
  • Removed the craft.i18n Twig variable.
  • Removed the craft.request Twig variable.
  • Removed the craft.sections Twig variable.
  • Removed the craft.session Twig variable.
  • Removed the craft.systemSettings Twig variable.
  • Removed the craft.userGroups Twig variable.
  • Removed the craft.userPermissions Twig variable.
  • Removed the assignUserGroups user permission, which authorized users to assign other users to their own groups. Authorization must now be explicitly granted for each group. (#10422)
  • Removed the customizeSources user permission. Only admins can customize element sources now, and only from an environment that allows admin changes.
  • Removed the publishPeerEntryDrafts:<uid> permissions, as they were pointless. (If a user is authorized to save an entry and view other users’ drafts of it, there’s nothing stopping them from making the same changes themselves.)
  • Removed the assets/edit-asset action.
  • Removed the assets/thumb action.
  • Removed the categories/edit-category action.
  • Removed the categories/preview-category action.
  • Removed the categories/share-category action.
  • Removed the categories/view-shared-category action.
  • Removed the dashboard/get-feed-items action.
  • Removed the elements/get-editor-html action.
  • Removed the entries/switch-entry-type action.
  • Removed craft\base\ApplicationTrait::getEntryRevisions().
  • Removed craft\base\ApplicationTrait::getFeed().
  • Removed craft\base\Element::ATTR_STATUS_CONFLICTED.
  • Removed craft\base\Element::getHasFreshContent(). getIsFresh() should be used instead.
  • Removed craft\base\ElementInterface::getEditorHtml(). Element edit forms are now exclusively driven by their field layout.
  • Removed craft\base\FieldLayoutElementInterface.
  • Removed craft\base\FlysystemVolume.
  • Removed craft\base\LocalVolumeInterface.
  • Removed craft\base\Volume.
  • Removed craft\base\VolumeInterface.
  • Removed craft\base\VolumeTrait.
  • Removed craft\behaviors\FieldLayoutBehavior::setFields().
  • Removed craft\config\DbConfig::updateDsn().
  • Removed craft\console\Request::getIsSingleActionRequest().
  • Removed craft\controllers\AssetTransformsController.
  • Removed craft\controllers\BaseUpdaterController::ACTION_COMPOSER_OPTIMIZE.
  • Removed craft\controllers\BaseUpdaterController::actionComposerOptimize().
  • Removed craft\controllers\Drafts.
  • Removed craft\controllers\ElementIndexesController::$paginated.
  • Removed craft\controllers\EntriesController::EVENT_PREVIEW_ENTRY.
  • Removed craft\controllers\UtilitiesController::actionAssetIndexPerformAction().
  • Removed craft\db\Connection::trimObjectName().
  • Removed craft\db\Table::ASSETTRANSFORMINDEX.
  • Removed craft\db\Table::ASSETTRANSFORMS.
  • Removed craft\elements\actions\SetStatus::$allowDisabledForSite.
  • Removed craft\elements\actions\SetStatus::DISABLED_FOR_SITE.
  • Removed craft\elements\actions\SetStatus::DISABLED_GLOBALLY.
  • Removed craft\elements\Asset::getSupportsPreview().
  • Removed craft\elements\Asset::getTransformSource().
  • Removed craft\elements\Asset::setTransformSource().
  • Removed craft\elements\db\ElementQuery::getIterator().
  • Removed craft\elements\db\ElementQuery::offsetExists().
  • Removed craft\elements\db\ElementQuery::offsetGet().
  • Removed craft\elements\db\ElementQuery::offsetSet().
  • Removed craft\elements\db\ElementQuery::offsetUnset().
  • Removed craft\elements\User::mergePreferences().
  • Removed craft\errors\AssetTransformException.
  • Removed craft\errors\FieldNotFoundException.
  • Removed craft\errors\InvalidVolumeException.
  • Removed craft\errors\MissingVolumeFolderException.
  • Removed craft\errors\VolumeException.
  • Removed craft\errors\VolumeObjectExistsException.
  • Removed craft\errors\VolumeObjectNotFoundException.
  • Removed craft\events\AssetTransformEvent.
  • Removed craft\events\AssetTransformImageEvent.
  • Removed craft\events\DefineComponentsEvent.
  • Removed craft\events\GenerateTransformEvent::$image.
  • Removed craft\events\GenerateTransformEvent::$tempPath.
  • Removed craft\events\GetAssetThumbEvent.
  • Removed craft\events\GetAssetThumbUrlEvent::$generate.
  • Removed craft\events\GetAssetThumbUrlEvent::$size.
  • Removed craft\events\GlobalSetContentEvent.
  • Removed craft\events\RegisterGqlPermissionsEvent.
  • Removed craft\events\SearchEvent::getElementIds().
  • Removed craft\events\SearchEvent::setElementIds().
  • Removed craft\feeds\Feeds.
  • Removed craft\feeds\GuzzleClient.
  • Removed craft\fields\BaseOptionsField::optionLabel().
  • Removed craft\fields\Url::$placeholder.
  • Removed craft\gql\base\Resolver::extractEagerLoadCondition().
  • Removed craft\gql\base\Resolver::getArrayableArguments().
  • Removed craft\gql\base\Resolver::prepareArguments().
  • Removed craft\helpers\App::dbMutexConfig().
  • Removed craft\helpers\App::getDefaultLogTargets().
  • Removed craft\helpers\App::logConfig().
  • Removed craft\helpers\Cp::editElementTitles().
  • Removed craft\helpers\Localization::localeData().
  • Removed craft\helpers\Stringy.
  • Removed craft\i18n\Locale::setDateTimeFormats().
  • Removed craft\log\FileTarget.
  • Removed craft\log\StreamLogTarget.
  • Removed craft\models\AssetTransform.
  • Removed craft\models\AssetTransformIndex.
  • Removed craft\models\BaseEntryRevisionModel.
  • Removed craft\models\EntryDraft.
  • Removed craft\models\EntryVersion.
  • Removed craft\models\FieldLayout::setFields().
  • Removed craft\models\Site::$originalBaseUrl.
  • Removed craft\models\Site::$originalName.
  • Removed craft\models\Site::overrideBaseUrl().
  • Removed craft\models\Site::overrideName().
  • Removed craft\models\VolumeListing.
  • Removed craft\mutex\DbMutexTrait.
  • Removed craft\mutex\FileMutex.
  • Removed craft\mutex\MysqlMutex.
  • Removed craft\mutex\PgsqlMutex.
  • Removed craft\mutex\PrefixedMutexTrait.
  • Removed craft\queue\jobs\DeleteStaleTemplateCaches.
  • Removed craft\records\AssetTransform.
  • Removed craft\records\MatrixBlockType::$validateUniques.
  • Removed craft\services\AssetIndexer::deleteStaleIndexingData().
  • Removed craft\services\AssetIndexer::extractFolderItemsFromIndexList().
  • Removed craft\services\AssetIndexer::extractSkippedItemsFromIndexList().
  • Removed craft\services\AssetIndexer::getIndexingSessionId().
  • Removed craft\services\AssetIndexer::getMissingFiles().
  • Removed craft\services\AssetIndexer::prepareIndexList().
  • Removed craft\services\AssetIndexer::processIndexForVolume().
  • Removed craft\services\Assets::EVENT_GET_ASSET_THUMB_URL.
  • Removed craft\services\Assets::EVENT_GET_THUMB_PATH.
  • Removed craft\services\Assets::getThumbPath().
  • Removed craft\services\AssetTransforms.
  • Removed craft\services\Composer::$disablePackagist.
  • Removed craft\services\Composer::optimize().
  • Removed craft\services\Content::getContentRow().
  • Removed craft\services\Content::populateElementContent().
  • Removed craft\services\Drafts::EVENT_AFTER_MERGE_SOURCE_CHANGES.
  • Removed craft\services\Drafts::EVENT_AFTER_PUBLISH_DRAFT.
  • Removed craft\services\Drafts::EVENT_BEFORE_MERGE_SOURCE_CHANGES.
  • Removed craft\services\Drafts::EVENT_BEFORE_PUBLISH_DRAFT.
  • Removed craft\services\Drafts::publishDraft().
  • Removed craft\services\EntryRevisions.
  • Removed craft\services\Fields::assembleLayout().
  • Removed craft\services\Fields::getFieldIdsByLayoutId().
  • Removed craft\services\Fields::getFieldsByElementType().
  • Removed craft\services\Fields::getFieldsByLayoutId().
  • Removed craft\services\Gql::getAllPermissions().
  • Removed craft\services\Path::getAssetThumbsPath().
  • Removed craft\services\ProjectConfig::CONFIG_ALL_KEY.
  • Removed craft\services\ProjectConfig::CONFIG_ALL_KEY.
  • Removed craft\services\ProjectConfig::CONFIG_KEY.
  • Removed craft\services\Sections::isSectionTemplateValid().
  • Removed craft\services\SystemSettings.
  • Removed craft\services\TemplateCaches::deleteCacheById().
  • Removed craft\services\TemplateCaches::deleteCachesByKey().
  • Removed craft\services\TemplateCaches::deleteExpiredCaches().
  • Removed craft\services\TemplateCaches::deleteExpiredCachesIfOverdue().
  • Removed craft\services\TemplateCaches::EVENT_AFTER_DELETE_CACHES.
  • Removed craft\services\TemplateCaches::EVENT_BEFORE_DELETE_CACHES.
  • Removed craft\services\TemplateCaches::handleResponse().
  • Removed craft\services\TemplateCaches::handleResponse().
  • Removed craft\services\TemplateCaches::includeElementInTemplateCaches().
  • Removed craft\services\TemplateCaches::includeElementQueryInTemplateCaches().
  • Removed craft\services\Volumes::createVolume().
  • Removed craft\services\Volumes::EVENT_REGISTER_VOLUME_TYPES.
  • Removed craft\services\Volumes::getAllVolumeTypes().
  • Removed craft\services\Volumes::getVolumeOverrides().
  • Removed craft\volumes\Local.
  • Removed craft\volumes\MissingVolume.
  • Removed craft\volumes\Temp.
  • Removed craft\web\AssetBundle::useCompressedJs().
  • Removed craft\web\AssetManager::getPublishedPath().
  • Removed craft\web\Request::getIsSingleActionRequest().
  • Removed craft\web\twig\Template.
  • Removed craft\web\twig\variables\CategoryGroups.
  • Removed craft\web\twig\variables\Config.
  • Removed craft\web\twig\variables\Deprecator.
  • Removed craft\web\twig\variables\ElementIndexes.
  • Removed craft\web\twig\variables\EmailMessages.
  • Removed craft\web\twig\variables\Feeds.
  • Removed craft\web\twig\variables\Fields.
  • Removed craft\web\twig\variables\Globals.
  • Removed craft\web\twig\variables\I18N.
  • Removed craft\web\twig\variables\Request.
  • Removed craft\web\twig\variables\Sections.
  • Removed craft\web\twig\variables\SystemSettings.
  • Removed craft\web\twig\variables\UserGroups.
  • Removed craft\web\twig\variables\UserPermissions.
  • Removed craft\web\twig\variables\UserSession.
  • Removed craft\web\User::destroyDebugPreferencesInSession().
  • Removed craft\web\User::saveDebugPreferencesToSession().
  • Removed craft\web\View::$minifyCss.
  • Removed craft\web\View::$minifyJs.
  • Removed craft\web\View::registerHiResCss().
  • Removed craft\web\View::renderTemplateMacro().
  • Removed the _layouts/element control panel template.
  • Removed the assets/_edit control panel template.
  • Removed the categories/_edit control panel template.
  • Removed the entries/_edit control panel template.
  • Removed the cp.assets.edit.content control panel template hook.
  • Removed the cp.assets.edit.details control panel template hook.
  • Removed the cp.assets.edit.meta control panel template hook.
  • Removed the cp.assets.edit.settings control panel template hook.
  • Removed the cp.assets.edit control panel template hook.
  • Removed the cp.categories.edit.content control panel template hook.
  • Removed the cp.categories.edit.details control panel template hook.
  • Removed the cp.categories.edit.meta control panel template hook.
  • Removed the cp.categories.edit.settings control panel template hook.
  • Removed the cp.categories.edit control panel template hook.
  • Removed the cp.elements.edit control panel template hook.
  • Removed the cp.entries.edit.content control panel template hook.
  • Removed the cp.entries.edit.details control panel template hook.
  • Removed the cp.entries.edit.meta control panel template hook.
  • Removed the cp.entries.edit.settings control panel template hook.
  • Removed the cp.entries.edit control panel template hook.
  • Removed the Craft.AssetEditor JavaScript class.
  • Removed the Craft.BaseElementEditor JavaScript class.
  • Removed the Craft.DraftEditor JavaScript class.
  • Removed the Craft.queueActionRequest() JavaScript method. Craft.queue.push() can be used instead.
  • Removed the Flysystem package. The craftcms/flysystem-adapter package now provides a base Flysystem adapter class.
  • Removed the laminas-feed package.
  • Removed the yii2-swiftmailer package.

Fixed

  • Fixed a bug where pending project config changes in the YAML would get applied when other project config changes were made. (#9660)
  • Fixed a bug where revisions weren’t getting propagated when a section was enabled for new sites, or its Propagation Method was changed. (#10634)

Security

  • Generated control panel URLs now begin with the @web alias value if the baseCpUrl config setting isn’t defined.
  • HTML entities output within email body text are now escaped by default in HTML email bodies.

Related news

GHSA-269q-hmxg-m83q: Local Information Disclosure Vulnerability in io.netty:netty-codec-http

### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified. ### Impact ### When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. ### Vulnerability Details ### To fix the vulnerability the code was changed to the following: ```java @SuppressJava6Requirement(reason = "Guarded by version check") public static File createTempFile(String prefix, String suffix, File directory) throws IOException { if (javaVersion() >= 7) { if (directory == null) { ...

CVE-2022-29108: Microsoft SharePoint Server Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.

CVE-2022-26923: Active Directory Domain Services Elevation of Privilege Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.

CVE-2022-29127: BitLocker Security Feature Bypass Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-26932: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

CVE-2022-29130: Windows LDAP Remote Code Execution Vulnerability

**Are there any special conditions necessary for this vulnerability to be exploitable?** Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.

CVE-2022-22012: Windows LDAP Remote Code Execution Vulnerability

**Are there any special conditions necessary for this vulnerability to be exploitable?** Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.

CVE-2022-22014: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29141: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29129: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-29128: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-22013: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-29131: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited over the network by an authenticated normal user through a low complexity attack on a server configured as the domain controller.

CVE-2022-29139: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by convincing a user to connect a Lightweight Directory Access Protocol (LDAP) client to a malicious LDAP server. When the vulnerability is successfully exploited this could allow the malicious server to gain remote code execution within the LDAP client.

CVE-2022-29137: Windows LDAP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

CVE-2022-26939: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-26938: Storage Spaces Direct Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29135: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29115: Windows Fax Service Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user import a specially crafted contact record and sends it a FAX.

CVE-2022-29138: Windows Clustered Shared Volume Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29142: Windows Kernel Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29120: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-29133: Windows Kernel Elevation of Privilege Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

CVE-2022-29122: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26931: Windows Kerberos Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

CVE-2022-29140: Windows Print Spooler Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.

CVE-2022-29123: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-29114: Windows Print Spooler Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system.

CVE-2022-24466: Windows Hyper-V Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by exploiting this vulnerability?** This Hyper-V vulnerability relates to a Virtual Machine Switch with virtual networking in Hyper-V Network Virtualization (HNV). It might be possible to bypass extended ACLs and other Windows security feature checks. See Create Security Policies with Extended Port Access Control Lists for information about extended ACLs.

CVE-2022-29134: Windows Clustered Shared Volume Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26926: Windows Address Book Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2022-29106: Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29113: Windows Digital Media Receiver Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29121: Windows WLAN AutoConfig Service Denial of Service Vulnerability

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

CVE-2022-22016: Windows PlayToManager Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29102: Windows Failover Cluster Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26927: Windows Graphics Component Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** There are multiple ways an attacker could exploit the vulnerability, such as by either convincing a user to open a specially crafted document, or by convincing a user to visit a webpage that contains specially crafted embedded OpenType fonts. The resulting Remote Code Execution would be within the context of the authenticated local user.

CVE-2022-26936: Windows Server Service Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The presence of specific file names and users can be confirmed over the internal network.

CVE-2022-29148: Visual Studio Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-26933: Windows NTFS Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** Exploiting this vulnerability could allow the disclosure of certain kernel memory content.

CVE-2022-29125: Windows Push Notifications Apps Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-30129: Visual Studio Code Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2022-22017: Remote Desktop Client Remote Code Execution Vulnerability

**How would an attacker exploit this vulnerability?** An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.

CVE-2022-29116: Windows Kernel Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

CVE-2022-26935: Windows WLAN AutoConfig Service Information Disclosure Vulnerability

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

CVE-2022-29112: Windows Graphics Component Information Disclosure Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-26925: Windows LSA Spoofing Vulnerability

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. **Is there more information available on how to protect my system?** Yes. Please see ADV210003 Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS). **Are there further actions I need to take to protect my system after I have applied the security update?** Yes. Please see KB5005413 for more information on the steps that you need to take to protect your system. Please note that the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS). **Should I prioritize updating domain controllers when I apply the security updates released on May 10, 2022?** Yes. This vulnerability affect...

CVE-2022-26930: Windows Remote Access Connection Manager Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory layout - the vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory.

CVE-2022-29126: Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-22019: Remote Procedure Call Runtime Remote Code Execution Vulnerability

**How could an attacker exploit the vulnerability?** To exploit this vulnerability, an attacker would need to trick a user into executing a specially crafted script which executes an RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

CVE-2022-26937: Windows Network File System Remote Code Execution Vulnerability

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV2 and NFSV3. This may adversely affect your ecosystem and should only be used as a temporary mitigation. The following PowerShell command will disable those versions: PS C:\Set-NfsServerConfiguration -EnableNFSV2 $false -EnableNFSV3 $false After this, you will need to restart NFS server or reboot the machine. To restart NFS server, start a **cmd** window with **Run as Administrator**, enter the following commands: * **nfsadmin server stop** * **nfsadmin server start** To confirm that NFSv2 and NFSv3 have been turned off, run the following command in a Powershe...

CVE-2022-26934: Windows Graphics Component Information Disclosure Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2022-21978: Microsoft Exchange Server Elevation of Privilege Vulnerability

 **Do I need to take further steps to be protected from this vulnerability?** Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates: For customers that have Exchange Server 2016 CU22 or CU23, or Exchange Server 2019 CU11 or CU12 installed Install the May 2022 SU first and then run one of the following commands using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains For customers that have Exchange Server 2013 CU23 installed: Install the May 2022 SU first and then run the following command using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptEx...

CVE-2022-22713: Windows Hyper-V Denial of Service Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-23279: Windows ALPC Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-23270: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29150: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-21972: Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29151: Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-29868: CVE-2022-29868 for versions 7.2.4-7.9.2 of 1Password for Mac

1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password.

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

CVE-2022-30240: Magnitude Simba Redshift and Athena Driver Vulnerability

An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift JDBC Driver 1.2.40 through 1.2.55 may allow a local user to execute code. NOTE: this is different from CVE-2022-29972.

CVE-2022-29933: cms/CHANGELOG.md at develop · craftcms/cms

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)

Summary Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could … Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) Read More »

CVE-2022-30286: The art of vulnerability chaining (PyScript)

pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.

CVE-2022-29972: Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver

**Is the CVSS vector different as it relates to the Microsoft services that the vulnerability affects?** The vulnerability in the Redshift driver referenced in the CVE impacts Microsoft services listed in the affected software table. The environmental score as it relates to affected Microsoft services can be different than the score assigned by the owner of the CVE. The base environmental score that Micrososft has assigned is 8.2. Environmental Vector Element Value Comment Modified Attack Vector Network Modified Attack Complexity Low Modified Privileges Required High Modified User Interaction None Modified Scope Changed The vulnerability in the redshift driver impacts the services listed in the affected software. Modified Confidentiality High Modified Integrity High Modified Availability High **Are there any special roles that enable exploitation of this vulnerability?** Exploiting this vulnerability requires an attacker to have at least one of the following role...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907