Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-22954: 9.0 Release Notes :: Concrete CMS

A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.

CVE
#csrf#vulnerability#web#apache#redis#git#java

Major New Features

  • Boards
  • Summary Templates
  • Multisite support.
  • New modern theme for 2021 – Atomik
  • New Gallery block built into the core.
  • Completely rebuilt file manager that has much better folder and advanced search support, support for home folders, favorite folders, external file providers, a new file upload UI and much much more.
  • Completely new upload experience that adds support for additional service provider plugins.
  • A completely new integrated image editor
  • Overhauled theme customizer, with support for skins, non-customizable skins, SCSS support, Bootstrap 5 and more.
  • Tasks: a completely rebuilt, much improved version of classic Concrete Jobs, with support for queueing, scheduling, unified input/output within the console and web interfaces, live output with Mercure and more.
  • User Group Types: Add the ability to create types of groups, including roles within groups, group management based on roles within groups, and more.
  • An overhauled UI built off of Bootstrap 5 and Concrete Bedrock

Other New Features and Improvements

  • Express now supports multisite.
  • Added the ability to edit page aliases from within the Dashboard sitemap (thanks mlocati)
  • Added the ability to customize the from name registration email parameter (thanks katzueno)
  • New Breadcrumb Navigation block now available (thanks hissy)
  • Much improved performance throughout, due to better navigation caching, and cache optimization (hissy and core team)
  • Added pagination to clipboard panel and the ability to reset all clipboards from the Dashboard (thanks bitterdev)
  • Added configuration for whether to log email body contents or just metadata (thanks bitterdev)
  • Support for interactive theme documentation and block preview.
  • Added bulk page permissions commands to the page search interface (thanks bitterdev)
  • Added the ability to upload a CSV of users to assign to a particular group. (thanks bitterdev)
  • Completely new image editor plugin framework. Ships with TUI Image Editor.
  • New icon selector component when working with block types like Feature that allow users to select icons.
  • Added logging for file uploads and file deletions (thanks bitterdev)
  • File manager can now automatically populate file attributes from EXIF metadata on upload (thanks bitterdev)
  • Implement Clear-Site-Data header after a successful login (thanks ahukkanen)
  • Added block title format for Date Navigation block (thanks katalysis)
  • Much improved Image block, including the ability to load images in lightboxes, display thumbnails of image in the page, and much more.
  • add delete button to package that is just uninstalled or download (thanks hissy)
  • Improved login performance when logging in with Remember Me cookie.
  • New Page Version Comment field available in page composer (thanks hissy)
  • Introduce new middlewares for security options (thanks hissy)
  • User must now confirm the existing password when changing their own password or another user’s password in the Dashboard.
  • Much improved asynchronous thumbnail generation process, with enhancements from the CLI task runner and Mercure (thanks bitterdev)

Bug Fixes

  • Files are not placed in a folder’s selected storage location if it has a custom storage location (thanks danklassen)
  • Fixes bug where files moved to folders were not using those folders storage locations (thanks danklassen)
  • If a form redirects to an external page that includes a query parameter, the result is a malformed URL. (thanks JeffPaetkau)
  • FIxed error when marking URL slug as required in composer form (thanks httnnnkrng)
  • Fixed: User workflows - User activation does not trigger on admin email validations (thanks bitterdev)
  • Document Library - Handle missing folder
  • Avoid an exception on express_entry_detail block when the express form ID is not exists (thanks biplobice)
  • Copied block with no edit mode has “edit block” link which throws excepetion (thanks gutig)
  • Fixed bugs within Redis-powered full page caching driver (thanks matt9mg)

Developer Updates

  • Badges and community points have been removed from the core. If you need this functionality, install the Community Badges add-on from https://github.com/concrete5/community_badges prior to upgrading your site.
  • Concrete now runs on PHP 8.
  • Tools have been completely removed, including from blocks and packages. Their functionality has been more securely and flexibly available with the routing and controller systems for many years now. (thanks mlocati!)
  • Completely rebuilt new queue system, built on Symfony Messenger.
  • Completely new command/message system, built on Symfony Messenger.
  • Many core components updated to their latest version, including Laravel and Symfony components.
  • Add overridable collection handle generator (thanks hissy)
  • Removing old process.php script for backend requests.
  • Introducing a new command bus pattern. Developers can use to encapsulate their commands, reusing them with one or two lines in multiple places.
  • Swapped underlying HTTP client with Guzzle and PSR7.
  • Router adds support for single action controllers with __invoke (thanks shahroq)
  • Allow Form helper to handle new HTML input types (thanks JohnTheFish)
  • https://github.com/concrete5/concrete5/pull/9479 (thanks jeffPaetkau)
  • Blacklist/whitelist terminology renamed throughout the core.

Security Updates

A lot of security updates were put into Version 9 that we kept quite about when version 9 was released since the fixes were also put into versions 8.5.6 and 8.5.7 and embargoed the CVEs until those versions were released. Please check out those release notes which describe which security fixes were also put into version 9.

*Version 9 removed the CSRF token from being stored in dynamic Javascript to remediate CVE-2021-22954.
Alternate mitigations for versions below 9 are to apply a header configuration applied to nginx/apache. To mitigate set the Cross-Origin-Resource-Policy to either same-origin or same-site, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) if unsure which to apply. For Nginx: In the location block - add_header Cross-Origin-Resource-Policy "same-origin"; Apache: In .htaccess or equivalent - Header set Cross-Origin-Resource-Policy “same-origin” Concrete CMS Security Team gave this a CVSS 3.1 score of 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Thanks “Solar Security Research Team” for reporting!

Backward Compatibility Notes

  • If you use Core::make(), $app->make() or anything similar in your packages, and provide arguments to these classes at the same time, recent updates to the Laravel Container class may break some older code. Please see this tutorial for more information: https://documentation.concretecms.org/tutorials/add-developers-get-your-add-ons-ready-concrete-cms-90
  • Beginning in version 8, we added the ability to override core elements from within your themes. For example, if the core requires an element via View::element(‘conversations/add_post’; the core looks for this add-on in concrete/elements/conversations/add_post.php. However, if the currently active theme provides this element in themes/my_theme/elements/concrete/conversations/add_post.php, it will be used instead. We are changing this to remove the concrete/ directory from the elements directory within your theme. That means in order to override any core element from within your theme, you only need to make it available at the same path within the elements/ directory of your theme.
  • If you register custom help for specific pages in your package, make sure to do so from within your package’s on_start method rather than from within the Dashboard page. Our new help panel requires this. See https://github.com/concrete5/concrete5/issues/9869#issuecomment-927136592 for more information.
  • Console command c5:blacklist:clear has been renamed c5:denylist:clear
  • If you work with Concrete cookies directly in your server configurations, be aware that they have been renamed. The default session cookie has been changed from CONCRETE5 to CONCRETE; the default is-logged-in cookie has been changed from CONCRETE5_LOGIN to CONCRETE_LOGIN.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907