Current File : //var/softaculous/conc8/changelog.txt
9.4.5 Release Notes
Behavioral Improvements
We now no longer wrap Grid Framework-based layouts in an extra row and column class.
Fixed some UI quirks when mousing over table-based list views in the Dashboard.
Bug Fixes
Fixed: pages with editing canonical URLs are not correctly marked as in trash.
Fixed: Nesting "Free-Form Layout" type Areas/Layouts breaks honouring the "Spacing" value
Fixed: 5xx Server Error for calendar RSS feed.
Fixed bug where privacy policy accept banner appeared strangely on the Stacks Dashboard page.
Fixed bug where adding blocks to areas in the Dashboard Welcome screen would only allow you to add one block, and then you would be forced to reload the page.
Fixed bug where saving theme customizations could force custom CSS dialog to render multiple times.
Fixed notice error when configuring legacy themes.
Developer Updates
$controller->buildRedirect(...) can now take a page object as its first argument (thanks mnakalay)
9.4.4 Release Notes
New Features
Renamed “Automated Logout” Dashboard page to “Logout Options”; added options to the Dashboard page to control whether users see an explicit logout message when they log out.
Added an option to log stack traces of uncaught exceptions, available in the Logging Settings Dashboard page (thanks mlocati)
Behavioral Improvements
We now do a better job of keeping the current page in edit mode while you’re actively making changes to the page without it timing out (thanks mlocati)
Improvements to Page List blocks when dealing with large data sets of pages and not ignoring permissions (thanks hissy)
Improvements to button display in composer form and page versions panel when a page version has already been submitted to workflow (thanks hissy).
Images placed in the Hero Image block will now preload with a <link> tag in the header, improving performance scores in webmaster tools (thanks hissy)
Bug Fixes
Fixed bug where a user encounters an error when attempting to add a Form to a page via the Express Form block (thanks mlocati)
Fixed: Express Entry Detail Block not returning results in version 9.4.3 (thanks mlocati)
Fixed bug where certain web server configurations coupled with non-standard web requests could result in pages rendering with incorrect JS/CSS paths. Coupled with full page caching and a request could result in a cached page with broken assets.
Fixed: Default HTTP client options found in config/app.php were old and mostly not properly honored. Now new proper config options and default values are provided (thanks ArniPL)
Fixed display bug in Chrome and possibly other browsers where the first click on a block in a page would briefly highlight the block with an opaque color, instead of the semi-transparent green it should.
Fixed PHP warnings in Text encoding service (thanks mlocati)
Fixed bug where filtering users by certain groups could return incorrect users if the group names were similar (thanks mlocati)
Fix the behavior of sitemap selector not working for level 3 and lower when working with the selectFromSitemap or selectMultipleFromSitemap methods in the PageSelector class (thanks parasek)
Fixed: multiple instances of the Social Links attribute do not work on a user profile page.
Fixed: Folder Name is not sorted correctly in document library (thanks SashaMcr)
Fixed many bugs and inconsistencies when importing and export attributes as CIF XML (thanks mlocati)
Fixed avaScript error in Express Search Form: $(...).datepicker is not a function when using a date/time attribute with an Express List block (thanks hissy)
Fixed bug where "Display in browser" option was still forcing files to download when using the Document Library (thanks hissy)
Fixed: LinkAbstractor::export does not export concrete-picture element collectly (thanks hissy)
Avoid multiline comments in i18n comments (thanks mlocati)
Fixed: “undefined” text shown in confirmation modal when removing permissions in bulk via Page Search
9.4.3 Release Notes
Behavioral Improvements
Many block types that didn’t properly report their file usage to the Dashboard File Details page now do so (thanks mlocati)
RSS Feeds created and listed in the Dashboard now include a convenience link to view the contents of the feed (thanks Mesuva)
Force download view_inline will no longer download a file if the file is not viewable inline, instead it will just return (thanks Allan-macareux)
When comparing page versions, we will now sort the version IDs to ensure that you’re always comparing old versions to new versions regardless of the order of query string arguments, and we’ll also order the version IDs in the tab description more sensibly.
You can now set the background of stack contents in the Dashboard to a temporary white or black (does not affect content or how its rendered) in order to assist when working on content that differs from the Dashboard color scheme (thanks mlocati)
Bug Fixes
Many bug fixes to the Concrete content import/export system (thanks mlocati)
Fixed bug where Concrete proxy settings were not sending URLs that were https:// through the proxy (thanks hissy)
Sites that registered a proxy server in the Dashboard will now use that proxy server when connecting to the marketplace for add-on downloads and updates (thanks hissy)
When editing the frontend of a site on mobile, the pages icon in the toolbar was positioned incorrectly. This is now fixed.
Fixed error when assigning a new page attribute to multiple pages via Page Search (thanks danklassen)
Fixed bug where Option List attributes that were defined through CIF XML on import or through custom code were not properly assigning to a page.
Fixed error where leaving a comment larger than 255 characters on a page version would trigger a database error (thanks SashaMcr)
Developer Updates
Massive improvements to block import and export, including the ability to import and export many block types that were not possible (Calendar, etc…) (thanks mlocati)
Minor translation improvements (thanks mlocati)
Certain ancient functions now marked as deprecated since PHP provides their functionality natively (thanks mlocati)
We now dispatch the "on_add_canonical_page_path" when adding a canonical path (thanks biplobice)
Fixed bug running the c5:ide-symbols console command under certain conditions (thanks mlocati)
Security Fixes
Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
Fixed CVE-2025-8573 Stored XSS from Home Folder on Members Dashboard page with commit 12643. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. Version 8 is not affected. Thanks sealldev for reporting HackerOne 3145536.
Fixed inconsistent behavior when using the rich text editor. Before the fix, users pasting HTML into the “content” pane of the rich text editor and saving the content resulted in HTML-escaped versions of the content. Note that re-saving it would then save it as HTML.
Mini Shell