Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 13.0.9

Published: Fri, 22 Jan 2021 15:33:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - If a product bundle was automatically added to a customer's shopping cart as part of a 'Buy X Get Y' discount, the system incorrectly inserted two of each item included in the bundle.
  • Media library - An error occurred when creating a new media library after applying hotfix 13.0.4 or newer. The problem was caused by incorrectly signed macros, and can be fixed by applying hotfix 13.0.9, or alternatively by re-signing macros in the system.
  • On-line forms - When cloning forms, the maximum length of the new form's 'DB table name' was not validated correctly and allowed values that were too long. This could lead to inconsistencies with the resulting form.


Hotfix 13.0.8

Published: Fri, 15 Jan 2021 12:30:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data engine - Changing the order of certain global objects resulted in an error after applying hotfix 13.0.7. For example, the issue could affect custom object types or custom tables with an order column.
  • Hotfix - Applying a previous version 13 hotfix to the Kentico Xperience setup files added incorrect versions of certain installation files and templates. As a result, new projects created using the hotfixed installer had an invalid database and did not work correctly To fix the problem, you need to apply hotfix 13.0.8 or newer to the setup files.
  • Marketing automation - When a marketing automation process was automatically initiated by a trigger of the 'Time-based' type, contacts going through an 'If/Else' step got stuck even though they met the step's condition. The process remained in the 'Pending' state for the contact and could not finish.


Hotfix 13.0.7

Published: Fri, 08 Jan 2021 12:20:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data engine - If a custom object type was stored outside of the default database (e.g., in a separated database for on-line marketing data), the system used an incorrect database connection when updating the order or ID path for the given objects, resulting in an error. For example, the problem occurred when displaying such objects in the administration using the UniGrid control and attempting to change the order of objects.
  • General - On ASP.NET Core sites, an instance of the 'IDataProtectionProvider' service was always required on application startup. This could cause slower application start and errors when developing isolated integration tests if a mock instance of this service was not created for every test.


Hotfix 13.0.6

Published: Fri, 11 Dec 2020 15:29:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - The cookie level of the system's 'KenticoCookiePolicyTest' cookie (used to detect the 3rd party domain blocking policy of a browser) was too high. This could result in incorrectly displayed error messages in the Xperience administration, e.g. in the page builder interface.
  • Search - Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.


Hotfix 12.0.92

Published: Fri, 11 Dec 2020 08:22:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Informative) - Possible information disclosure in form control error messages - If an error occurred when rendering a Portal Engine form control, the error message displayed on the live site included stack trace information.
  • E-mail engine - Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form correctly. For example, this could result in broken links to pages on Portal Engine sites. The issue occurred only after applying hotfix 12.0.79 or newer.
  • Search - Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.
  • Users - Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.


Hotfix 13.0.5

Published: Mon, 07 Dec 2020 12:03:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General - Applying hotfix 13.0.4 caused errors in the administration application and prevented the project from compiling.
  • Media library - The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage, such as Microsoft Azure Blob storage. The option can be configured when editing individual media libraries on the 'General' tab. The configured URL format applies when adding links to media files in the rich text editor (using the page builder widget or when editing rich text page fields) and via page fields based on the 'Media selection' form control.
  • Pages - If certain characters (for example a ` grave accent) were used in the 'URL slug' of a page, the value could no longer be changed and an error occurred when viewing the page in the administration interface and on the live site.
  • Search - Azure search indexes of the 'Pages' or 'Pages crawler' type did not update after a page included in the index was updated (and a corresponding search task was processed).
  • Users - Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.


Hotfix 13.0.3

Published: Fri, 27 Nov 2020 12:35:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Files - On ASP.NET Core sites, the system generated malformed links to static files displayed under preview mode (in the 'Pages' application or when viewed via a generated preview URL). The issue occurred only for files placed outside the application's web root (~/wwwroot folder). Most commonly affected were media library files, which are by default stored in a dedicated site folder outside the application's web root.
  • Localization - Localization (e.g., via the system's ResHelper class) did not work and resulted in an error in projects targeting .NET Core 5.
  • Page builder - The search in the 'Media files selector' dialog for page builder components did not work in certain browsers (for example Firefox), and the displayed media files were not filtered.
  • Page builder - The properties dialog in the page builder interface prevented 'mouseup' and 'mousedown' button events from propagating. As a result, any form components that registered listeners for such events did not work correctly in the dialog when assigned to properties.
  • Pages - On ASP.NET Core sites that used content tree-based routing, pages configured to require authentication did not redirect public visitors to the site's sign-in page. The 401 Unauthorized response was returned instead.
  • Search - Changes made to the 'Enable smart search indexing' setting ('Settings' application -> System -> Search) were only reflected after application restart.


Hotfix 13.0.2

Published: Fri, 20 Nov 2020 13:32:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form in certain cases.
  • Import/Export - Disabling the 'Rebuild site search indexes' option in the 'Objects selection' step of the import wizard did not work correctly, and the option always persisted as enabled after switching to a different object category.


Hotfix 13.0.1

Published: Fri, 13 Nov 2020 17:35:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - The 'Email queue' application incorrectly required the 'Modify email queue' permission to 'Refresh' the queue. After applying the hotfix, the 'Read email queue' permission is sufficient to refresh the queue.
  • Email marketing - Added a tip box with an introduction video for the 'Email marketing' application.


Hotfix 12.0.91

Published: Fri, 06 Nov 2020 08:51:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Error messages in the administration interface vulnerable to XSS - There were several occurrences of a cross-site scripting vulnerability when the administration interface displayed an error message containing malicious user input (in object names). The issue was fixed by sanitizing special characters displayed in the error messages.
  • Form controls - Form fields on Portal Engine sites using the 'HTML5 input' form control lost CSS classes assigned through the field 'CSS styles' properties when a postback occurred on the page (for example after the form was submitted and validation failed).
  • Import/Export - When the same site was imported more than once to the same instance, the site root pages had the same values in the 'DocumentWorkflowCycleGUID' field, which could lead to errors and incorrect behavior. For example, creating new pages could result in page template retrieval errors. Applying the hotfix ensures unique GUID values for future imports, but does not fix existing sites with this issue.


Hotfix 12.0.90

Published: Fri, 23 Oct 2020 06:13:41 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Facebook integration - Due to changes in the Facebook API and related permissions, the functionality for publishing content to Facebook pages may stop working. To use the feature, you need to apply the hotfix and manually update your Facebook app. Ensure that your app has the 'pages_manage_posts', 'pages_read_user_content' and 'read_insights' permissions, upgrade the Facebook API Version to 'v8.0', and generate a new page access token for your Facebook app in Kentico.
  • Page builder - The folder tree area of the 'Media files selector' dialog for page builder components was too narrow, which could make it hard to read long or nested media folder names. The hotfix updates the design of the dialog to improve visibility in the folder tree.


Hotfix 12.0.89

Published: Fri, 16 Oct 2020 08:32:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Payments using the default PayPal provider resulted in a validation error if the order used a gift card with a value higher than the total price of all purchased items (only applies to cases where payment was still necessary after calculating the order's final price with shipping and tax).
  • E-mail engine - Cleaning of archived emails with attachment files was inefficient, and could potentially lead to timeout issues if the database contained a large number of archived emails with an attachment.
  • Marketing automation - Marketing automation processes could get stuck on 'Wait' steps and licensing errors were logged. The problem occurred in cases where the background scheduled task handling the wait step was executed in the context of a site with a license edition lower than EMS (on instances with multiple sites using different license editions).


Hotfix 12.0.88

Published: Fri, 09 Oct 2020 08:02:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Licensing - Running an MVC site with the Small Business license edition resulted in license limitation errors. After applying the hotfix, Small Business licenses support web farm synchronization and the errors no longer occur.


Hotfix 12.0.87

Published: Fri, 02 Oct 2020 09:45:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - If the system was configured to store file binary data on the file system, staging tasks did not synchronize these files for object-related meta files. For example, the problem could affect product images assigned to SKUs.


Hotfix 12.0.86

Published: Fri, 25 Sep 2020 09:14:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - The 'reCAPTCHA' form control and MVC form component only processed the current content culture as a 2 character ISO code, which could cause the reCAPTCHA to display in the incorrect culture. For example, the problem could occur on sites using the 'zh-HK' Chinese culture, which displayed the reCAPTCHA in the 'zh-CN' culture instead.


Hotfix 12.0.85

Published: Fri, 18 Sep 2020 10:52:15 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General export - An error occurred when using the Advanced export feature for email marketing link click statistics with the 'Export raw database data' option enabled and all data columns selected.
  • Staging - Page update staging tasks generated after adding or modifying a related page from another site did not synchronize the relationship change to target servers. After applying the hotfix, staging supports synchronization of relationships between pages on different sites.


Hotfix 12.0.84

Published: Fri, 11 Sep 2020 10:14:23 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page types - An error occurred when rolling back to a previous version of a page type with one or more child page types (i.e. page types that inherit fields).
  • Web analytics - If a web analytics log file for exit page candidates contained invalid or malformed data, processing failed and prevented logging of all web analytics statistics. After applying the hotfix, such files are deleted and processing of other analytics logs continues.


Hotfix 12.0.83

Published: Fri, 28 Aug 2020 06:58:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Reporting - The 'Print' functionality in the Reporting application did not work on sites with the 'Kentico CMS Base' or lower license editions.


Hotfix 12.0.82

Published: Fri, 21 Aug 2020 08:16:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Microsoft Azure - On sites hosted in Azure, an error occurred in the administration interface when viewing pages in Preview mode or the page builder for pages whose node alias path contained non-ASCII characters. The virtual context URLs used by these features had escaped characters when obtained from Azure, resulting in a non-matching hash.
  • Page builder - When caching the output of controller actions using the ASP.NET output caching, the page builder did not load in the 'Pages' application for pages displayed through the cached actions. Instead, only a preview of the cached page was displayed. This problem occurred in special scenarios, for example, when caching based on specific parameters defined in the 'VaryByParam' property.


Hotfix 12.0.81

Published: Fri, 14 Aug 2020 08:49:11 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - Cleaning of archived emails could fail in cases where the scheduler was configured to run in request-based mode and the administration site did not receive regular traffic. This could lead to buildup of sent emails and cause intervals of heavy database load.
  • Licensing - Domains containing a port number were not correctly registered as belonging to the domain for which a license was issued. This caused issues with the system's web farm functionality.


Hotfix 12.0.80

Published: Fri, 07 Aug 2020 09:04:53 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - The visibility condition and validation rule components of the system's 'Form builder' feature contained a memory leak. Sites making heavy use of these components experienced severely heightened memory utilization, eventually resulting in an application crash.
  • WYSIWYG editor - When editing page fields based on the 'Rich text editor' form control, the system incorrectly handled virtual URLs in the 'poster' attribute of 'video' tags (added through the editor's Source mode). After saving such a URL into the content, subsequent edits loaded a relative URL resolved according to the application path of the administration application. Re-saving the field could cause the poster URL to become invalid, for example if the live site was running with a different application path than the administration.


Hotfix 12.0.79

Published: Fri, 31 Jul 2020 07:47:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - It was not possible to set a static 'id' attribute for the 'form' HTML element of forms placed using the system's default 'Form' widget. By default, the system always generated a random 'id' for each form to prevent multiple forms with identical identifiers from being placed on a single page. After applying the hotfix, you can suppress this behavior by setting the 'id' attribute via the 'FormWidgetRenderingConfiguration.FormHtmlAttributes' property. However, note that this sets the same 'id' attribute for ALL form widget instances. As a result, having more than one form per page is not supported under this configuration.
  • Page builder - If content added through the page builder (for example using a text editor widget) included absolute URLs with a domain matching the current site's Presentation URL, the URLs became broken after resaving the content. The system resolved such URLs into internal virtual context URLs ('/cmsctx/...') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, such absolute URLs are modified to relative URLs after being saved, and the system correctly handles the virtual context URL conversions. The fix does not address any existing broken links - these need to be fixed and resaved manually.


Hotfix 12.0.78

Published: Fri, 24 Jul 2020 08:05:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Payments using the default PayPal provider resulted in a validation error if the order contained a note longer than 165 characters. After applying the hotfix, order notes that exceed this number of characters are trimmed before being sent to PayPal.


Hotfix 12.0.77

Published: Fri, 10 Jul 2020 08:06:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Free shipping offers with a 'Minimum order amount' were incorrectly evaluated without subtracting any applied order discounts from the checked order price. Note that after applying the hotfix, orders will no longer qualify for free shipping if their price does not meet the minimum amount after subtracting an order discount.


Hotfix 12.0.76

Published: Fri, 03 Jul 2020 10:57:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Pages - An error occurred in the language version comparison mode of the Pages application for users whose username contained certain special characters, such as a backslash (typically for users created via external authentication).
  • Pages - Certain scenarios did not work correctly if the 'URL pattern' of page types on MVC sites contained a page path macro that could resolve into a value with multiple URL segments, such as the 'NodeAliasPath' field. For example, detection of alternative URL conflicts did not work for the resulting pages. After applying the hotfix, the system handles such macros if they are the only value placed into the URL pattern.


Hotfix 12.0.75

Published: Fri, 26 Jun 2020 09:37:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Method used to resolve URLs was vulnerable to XSS - There were several occurrences of a cross-site scripting vulnerability when the system resolved URLs whose relative part contained a special sequence of characters. The vulnerability occurred in the administration interface, as well as controls that could be used on the live site. The issue was fixed by filtering out these characters.

    Workaround for all Kentico versions

    A manual workaround for this issue is to add URL sequences from "/(A(" to "/(Z(" to the <denyUrlSequence> web.config element. The web.config should contain the following:

    <denyUrlSequences>
        <add sequence="/(A(" />
        <add sequence="/(B(" />
        ...
        <add sequence="/(Z(" />
    </denyUrlSequences>
  • Pages - Users created via external authentication whose username contained certain special characters could encounter an error when viewing pages in the Pages application, for example in Preview mode or in the page builder edit mode on the 'Page' tab. After applying the hotfix, the virtual context URLs used to display such content store the GUID of the current user instead of the username.
  • Search - The system generated individual smart search indexing tasks for each page associated with a given product (SKU object) every time the product was modified. This occurred even for pages not included under any smart search indexes. After applying the hotfix, the system generates a single smart search task per SKU modification that processes all pages related to the product.


Hotfix 12.0.74

Published: Fri, 19 Jun 2020 07:51:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system did not generate a valid callback URL for external authentication providers if the site was running on a domain with a non-standard port number (different than 80 for HTTP, 443 for HTTPS). This resulted in an endless chain of redirects between the application and the authentication provider.
  • Form builder - The 'Checkbox' form component's 'Text' property did not support localization macro expressions.


Hotfix 12.0.73

Published: Fri, 12 Jun 2020 07:58:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Kentico API that relied on static contexts, such as 'SiteContext', 'ContactManagementContext', or 'CMSActionContext', did not work and returned empty values when called within custom asynchronous (async) methods. After applying the hotfix, the contexts correctly persist their values within async code.
  • Files - When a folder was mapped to another location using the file system provider API, moving or copying of files from the local file system into the mapped folder did not work correctly in certain scenarios. For example, if a media library folder was mapped to Azure Blob storage, the system did not create files when using the import feature to add media files into the given folder.
  • Localization - Registration emails sent when a new user registered on a Portal Engine site through the 'Registration form' or 'Custom registration form' web part did not have the correct culture in certain scenarios. Localization macros placed into registration email templates (e.g. 'Membership - Registration' or 'Membership - Registration confirmation') were resolved into a default culture (English) instead of the user's current content culture on the site.
  • Page builder - If a custom form component using the React JavaScript library was assigned to a property of a page builder component (widget, section, etc.), click events (onclick) did not work in the resulting properties dialog. After applying the hotfix, click events of React components are triggered correctly in page builder property configuration dialogs.


Hotfix 12.0.72

Published: Fri, 05 Jun 2020 09:25:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - Staging tasks of the 'Break ACL inheritance' type were not logged correctly when the change was triggered by incoming synchronization from another server (typically in environments with 3 or more connected staging servers).


Hotfix 12.0.71

Published: Fri, 22 May 2020 06:41:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - When utilizing the 'Shipping option selection' web part in the checkout process on a Portal Engine site, an error occurred if a customer selected a shipping option and then later switched back to the default '(Please select)' item. After applying the hotfix, the web part no longer displays the '(Please select)' item after selecting and saving a valid shipping option. The problem occurred after applying hotfix 12.0.35 or newer.
  • Licensing - License keys containing domain names shorter than four characters were not recognized by the system.


Hotfix 12.0.70

Published: Fri, 15 May 2020 07:45:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - If using a database server with relatively low-tier performance (for example an Azure SQL database with 400 DTUs) and sending extremely large numbers of emails, cleaning of archived emails could fail and potentially lead to buildup of sent emails, and even performance issues or crashes on the website. To fix the issue, either scale up the database, increase the database connection timeout, or lower the batch size for archived email deletion by adding the new 'CMSEmailDeleteBatchSize' key to the project's web.config file. The key's default value is 2000.