Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.69

Published: Thu, 07 May 2020 07:45:53 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page types - If a page type inherited a system 'Page field' from a parent page type (for example the 'DocumentShowInSiteMap' field), code generated for the page type incorrectly included a property representing the system field (such properties are redundant, as system fields are already available in the base 'TreeNode' class). After applying the hotfix, system fields are never included in classes generated for page types.
  • Staging - If a page type had a field based on the 'Department roles selector' form control, the field's data was not correctly synchronized through staging tasks when a page was created or updated.


Hotfix 12.0.68

Published: Thu, 30 Apr 2020 07:02:39 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - On sites running under heavy load, evaluation of Buy X Get Y discounts could result in an error, leading to incorrect or inconsistent results. For example, such problems could occur after adding discount-related products to the shopping cart on a high-traffic website.
  • MVC - The 'Live site' button in the application list did not work correctly if certain special characters were included in the 'Presentation URL' of an MVC site.


Hotfix 12.0.67

Published: Fri, 24 Apr 2020 06:47:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - The 'Preview' tab in the 'Products' application on MVC sites was incorrectly displayed for products without an available live URL (for example products whose page type did not have a URL pattern configured). The problem occurred after applying hotfix 12.0.53 or newer.


Hotfix 12.0.66

Published: Fri, 17 Apr 2020 08:58:47 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - Certain emails that were sent directly without going through the email queue incorrectly had their priority (importance) headers set by the system. For example, marketing email drafts were always sent out with low priority. After applying the hotfix, the priority is not set for any outgoing emails.
  • Form controls - The 'Form field selector' form control did not work when creating conditions in the macro rule designer. For example, it was not possible to select a field when configuring the parameter of the "Contact has filled in form field" macro rule.
  • Users - Updating system user objects via the MVC site (as part of account detail updates, password resets, and similar operations) automatically generated the user's 'FullName' property by concatenating the existing first and last name values. For example, this could override all customizations made to the user's full name on the side of the administration interface. After applying the hotfix, the full name is automatically generated upon user creation and only updated if the system detects that the original automatically generated full name is still being used.


Hotfix 12.0.65

Published: Thu, 09 Apr 2020 09:30:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Search - When creating or rebuilding smart search indexes of the 'Pages' type (local or Azure), not all pages were correctly included in the index if a processed batch of records contained only pages that were not published on the live site. For example, the problem could occur on sites with large sections of archived pages, containing more items than the 'Batch size' set for indexes.


Hotfix 12.0.64

Published: Fri, 03 Apr 2020 09:35:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Web farms - If using a database server with relatively low-tier performance (for example an Azure SQL database with under 50 DTUs), timeout errors could occur when the system performed cleanup of web farm tasks, typically when the instance contained large synchronization tasks with binary data. This resulted in event log errors and potentially a buildup of web farm tasks in the database. To fix the issue, either increase the connection timeout for the database or lower the batch size for task deletion by adding the new 'CMSWebFarmTaskDeleteBatchSize' key to the project's web.config file. The key's default value is 500.


Hotfix 12.0.63

Published: Fri, 27 Mar 2020 09:38:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Facebook integration - Facebook authentication on Portal Engine sites did not respect the 'Require unique user emails' setting and could create user accounts with the same email address as an existing user in the system. After applying the hotfix, such conflicts result in the creation of a Kentico user account with an empty email address.
  • UI personalization - Notifications about unsaved changes did not work in the Pages application for users who had the 'Properties' tab hidden by the UI personalization feature.


Hotfix 12.0.62

Published: Fri, 20 Mar 2020 08:59:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Localization - Localizing a form's 'After the form is submitted' or 'Submit button' text using resource strings (on the 'General' tab of the form's editing interface) did not work correctly for forms displayed on MVC sites using the 'Form' widget. The live site always displayed the English version of the text instead of using the current page's culture.


Hotfix 12.0.61

Published: Fri, 06 Mar 2020 09:27:23 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - Page visit conversions for A/B tests on MVC sites were not logged correctly for sites running on a URL without a virtual directory (i.e. hosted directly in the root of an IIS website).
  • Page builder - URL values stored in the properties of page builder widgets, sections or templates (either through the property configuration dialog or an inline editor) lost their '#' fragment component after resaving the page multiple times. This could result in broken anchor links.
  • Translation services - An error occurred when creating a translation submission that contained a linked page together with the link's original page. After applying the hotfix, translation submissions filter out link duplicates and only include the original page.


Hotfix 12.0.60

Published: Fri, 28 Feb 2020 08:47:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Administrators able to edit Global administrator users - Users with the 'Administrator' privilege level were able to send requests that modified other users with the higher 'Global administrator' privilege level (this was not possible directly in the user interface). Such changes could cause the global administrator to lose their privilege level, which could also impact the live site by invalidating security-sensitive macros signed by the given administrator. This vulnerability could not be used for privilege escalation.
  • MVC - If a project used bundling for CSS files and was compiled with a 'Release' configuration (i.e. the <compilation> element's 'debug' attribute set to 'false' in the web.config file), links to assets in the CSS code (fonts, images, etc.) with a relative URL became broken when viewing pages in preview mode or the page builder interface.
  • Workflow - Selection of roles from multiple different sites did not work correctly on the 'Security' tab of workflow or marketing automation steps. Selecting roles for one site incorrectly cleared the role selection made for other sites. After applying the hotfix, the site selector no longer appears above the role listing on the Security tab, but instead is part of the role selection dialog.


Hotfix 12.0.59

Published: Fri, 21 Feb 2020 09:00:13 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If a page builder component's property (for example a widget property) used the 'Text area' editing form component, pressing the Enter key to add new lines within the resulting property configuration dialog did not work in the Firefox browser. The problem also affected any custom form components containing a 'textarea' tag.


Hotfix 12.0.58

Published: Fri, 14 Feb 2020 08:44:29 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - The system did not provide sufficient information for developers about errors originating from MVC form components when displayed as part of the widget properties dialog. After applying the hotfix, such errors are logged with full exception details into the system's event log.
  • Staging - Staging tasks generated after deleting all alternative URLs from a page on an MVC site did not work correctly (only if there were no remaining alternative URLs after the deletion). In these cases, the alternative URLs remained on target servers after synchronizing the corresponding 'Update page' staging task.


Hotfix 12.0.57

Published: Fri, 07 Feb 2020 11:28:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Continuous integration - If a website contained a very large number of pages (tens of thousands) of a certain page type, adding a new field to the page type with continuous integration enabled resulted in an SQL query that was too complex and an error occurred. After applying the hotfix, the system generates less complex queries for such scenarios, which minimizes the chance of SQL errors.
  • Web parts - The 'Custom registration form' web part did not validate the entered username value. If the specified username contained an invalid character, such as an apostrophe, an error occurred on the website.


Hotfix 12.0.56

Published: Fri, 31 Jan 2020 07:21:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - When managing products in the 'Products' application on a Portal Engine site, switching the language selector to create a new culture version of a product caused an error. The error only occurred after applying hotfix 12.0.53 or newer.


Hotfix 12.0.55

Published: Fri, 24 Jan 2020 10:50:56 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For products that were used within an existing order, deleting one culture version of the product page incorrectly disabled the 'Allow for sale' property of the given product (SKU), even if there were other culture versions. After applying the hotfix, products are disabled only if no remaining culture versions exist.
  • Form components - An error occurred when submitting an MVC form containing the 'File uploader' form component if outgoing synchronization using the integration bus was enabled.
  • Social media - Due to changes in the LinkedIn integration API, the LinkedIn company profile management functionality in Kentico did not work. After applying the hotfix, you additionally need to obtain the 'rw_organization_admin', 'r_organization_social' and 'w_organization_social' permissions for your LinkedIn app, which requires you to apply and be approved as a LinkedIn Partner. You also need to 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.
  • Users - Updating or resetting user passwords on MVC sites (using Kentico's ASP.NET Identity integration) resulted in redundant database updates of the affected user object. Applying the hotfix reduces such updates, lowering the likelihood of potential database deadlocks occurring in this scenario.


Hotfix 12.0.54

Published: Fri, 17 Jan 2020 09:16:42 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If a page builder component (such as a widget) included scripts that used certain ECMAScript 5 features, an exception could occur in some scenarios when loading page builder scripts on pages containing the component. For example, the error could be encountered after installing the Kentico 'Rich text' inline editor widget. After applying the hotfix, the system no longer provides minification of page builder component scripts by default (we recommend adding custom minification of scripts in your project).
  • URL rewriting & SEO - If a site's 'Default page' setting was configured to the 'Use domain root' option, the redirect to the root did not preserve the values of any wildcard parameters contained in the home page's URL. After applying the hotfix, the domain root redirect URL includes wildcard parameters in the query string.


Hotfix 12.0.53

Published: Fri, 10 Jan 2020 15:34:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - If the 'Default cookie level' setting was lower than 'Editor', the system did not correctly set certain editor cookies for administration interface users who did not pass through the default sign-in page (for example when signing in via external claims-based authentication, Windows authentication, or directly on the live site and then accessing an administration URL). The missing cookies prevented parts of the administration interface from working correctly, such as the marketing automation and advanced workflow designer.
  • E-commerce - The 'Preview' tab for products in the 'Products' application did not work on MVC sites due to incorrectly set Content Security Policy headers. The problem occurred only after applying hotfix 12.0.29 (Service Pack) or newer.
  • Reporting - If reporting components (such as the 'DisplayReport.ascx' control) were used within custom pages, an error could occur while loading reports in certain scenarios and life cycle configurations. The errors occurred after applying hotfix 12.0.14 or newer.
  • Staging - If a user only had permissions to manage certain types of staging tasks (page, object, data), without the 'Manage all tasks' permission for the Staging module, they could not view the details of a failed task on the corresponding tab in the 'Staging' application.


Hotfix 12.0.52

Published: Fri, 13 Dec 2019 12:14:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - It was not possible to view A/B test details from the 'Pages' application in published projects (using the 'Manage A/B test' button).
  • Facebook integration - Due to breaking changes in Facebook's API, the Facebook Insights reporting feature in Kentico (accessible via the 'Insights' tab when editing a page in the 'Facebook' Kentico application) displayed incorrect data. Moreover, as a result of these changes, 'Page fans' Insights reports no longer chart cumulative growth, but instead report daily fluctuations.
  • Integration bus - It was not possible to view the details of failed incoming or outgoing integration bus tasks in the 'Integration bus' application. Attempts resulted in a JavaScript error being logged in the browser console.
  • MVC - The system did not provide sufficient information for developers about certain types of errors originating from MVC page builder components (widgets, sections, inline property editors, etc.). For example, no details were available for errors resulting from the Razor view code of components. After applying the hotfix, such errors are logged with full exception details into the system's event log.


Hotfix 12.0.51

Published: Fri, 06 Dec 2019 13:24:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - Permissions for uploading page attachments were evaluated incorrectly if the 'Insert link' or 'Insert image or media' dialog was used to upload attachments while creating a new page (before the page was saved for the first time).
  • Sites - If an instance had multiple MVC sites and their presentation URLs contained the same base domain (for example with differences in the application path, e.g. 'domain.com' and 'domain.com/appPath'), the system in certain cases incorrectly used the site running on the less specific base domain as the current site. This affected both default functionality, and the result of 'SiteContext.CurrentSite' API calls in custom code. The problem occurred only after applying hotfix 12.0.41 or newer.
  • Transformations - The 'IsLast' transformation method did not return correct values in scenarios where the data used pagination. For example, the method did not return a 'true' value when the transformation was applied to the last item displayed by the 'Repeater' web part with paging enabled.


Hotfix 12.0.50

Published: Fri, 29 Nov 2019 10:23:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Flawed MIME type validation for uploaded files - Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.


Hotfix 12.0.49

Published: Fri, 22 Nov 2019 10:54:51 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - When the 'CultureSiteInfoProvider.IsSiteMultilingual' API method was called for the first time for a site, it always returned a false result (subsequent calls worked correctly).
  • Campaigns - If a conversion was set for a campaign with the "any" option selected in the configuration (for example a 'Subscription to a newsletter' conversion for 'Any' newsletter), the contact demographics detailed report for the given conversion displayed empty data.
  • URL rewriting & SEO - In certain cases, the system redirected requests to an incorrect domain URL. For example, if a site used HTTPS URLs, enforcement of separate domains for cultures, and had a domain alias with a specified 'Visitor culture', the wrong language version was displayed when a page was accessed under the culture-specific domain. The problems occurred only after applying hotfix 12.0.35 or newer.


Hotfix 12.0.48

Published: Fri, 15 Nov 2019 11:21:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Moderate) - Virtual context URLs leak via the HTTP Referer header - URLs pointing to third party domains leaked virtual context information via the HTTP Referer header. This occurred, for example, when a user editing an MVC page in the page builder clicked on a link or displayed an image loaded from a third party domain. The workaround for this issue is to add the 'meta referrer' tag to the HTML output of your MVC pages, i.e. set: <meta name="referrer" content="origin">.
  • URL rewriting & SEO - If a Portal Engine site had a domain alias with a 'Redirect URL' value containing the '{%protocol%}' macro, the redirection did not work correctly for URLs using the 'https' scheme.


Hotfix 12.0.47

Published: Fri, 08 Nov 2019 12:40:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - When viewing pages on MVC sites through a preview URL (generated in the Pages application on the 'Properties -> General' tab), links to other pages incorrectly preserved the preview mode and the generated user context. After applying the hotfix, the 'href' attributes of such links no longer contain preview URLs and the links instead open the live site version of the targeted page.
  • MVC - The administration interface URLs internally used in the Pages application for the preview and page builder editing mode of pages on MVC sites incorrectly had unlimited validity. After applying the hotfix, these URLs contain a timestamp parameter and expire after 8 hours by default. The expiration time can be adjusted by setting the 'CMSPreviewLinkExpiration' key to a specific number of minutes in the web.config file of the Kentico administration application.


Hotfix 12.0.46

Published: Fri, 01 Nov 2019 09:44:33 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General - The 'Kentico.Libraries' NuGet package contained unnecessary libraries (CMS.Synchronization.WSE3.dll, Microsoft.Web.Services3.dll and DotNetOpenAuth.dll). The libraries are no longer present after updating the package to version 12.0.46 or newer.


Hotfix 12.0.45

Published: Fri, 25 Oct 2019 09:07:16 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The 'U.S. phone number' form component did not correctly format United States phone numbers and logged errors into the browser console when rendered as part of a form.
  • Search - The system ignored search settings for page fields storing the content of widgets and editable regions ('DocumentContent' and 'DocumentWebParts'), which can be customized in the 'Modules' application -> 'E-commerce' -> 'Classes' tab -> 'SKU' -> 'Search' tab.
  • WYSIWYG editor - If a link was created in page content using the editor and a '#' fragment component (e.g. anchor link) was manually added and saved to the URL, the fragment component was ignored when opening the link dialog again and lost upon subsequent save.
  • WYSIWYG editor - Links created using the editor were generated incorrectly if the link target was a page on a different Portal Engine site. The problem occurred only after applying hotfix 12.0.41 or newer.


Hotfix 12.0.44

Published: Fri, 18 Oct 2019 10:51:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - The system processed page URLs inefficiently when listing items in page selector dialogs (e.g., when copying, moving or linking pages), which could lead to performance issues. For example, such issues could occur on MVC sites if the pages listed in the dialog had URL patterns containing resource-intensive macros.
  • General - If an MVC website was disabled by adding an 'App_Offline.htm' file to the project root, every request unnecessarily triggered initialization of the Kentico application (leading to redundant 'APPSTART' events in the system event log).
  • Page builder - Users with limited permissions were not able to create MVC pages with page builder support (i.e. page types with the 'Use Page tab' option enabled) in certain scenarios. An "Access is denied" error occurred if the user had sufficient permissions only for the content tree sub-section where the page was being created, but not for all parent pages.
  • Users - The newsletter subscriptions listed in the 'Users' application on the 'Subscriptions' tab of a selected user were not correctly updated after the user unsubscribed from a newsletter.


Hotfix 12.0.43

Published: Fri, 11 Oct 2019 12:26:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If the value of an MVC widget property contained URLs in virtual relative format, and the property was edited and displayed using an inline editor, the URLs were not resolved correctly within the page builder interface (on the 'Page' tab of the Pages application). URLs within content on the live site were not affected and remained functional.
  • Search - The 'Optimize local search indexes' scheduled task did not work.
  • URL rewriting & SEO - Scenarios where a custom event handler was used to set the 'RequestContext.IsSSL' property did not work correctly (for example when handling HTTPS requests in environments with a reverse proxy server and TLS/SSL acceleration). The problem occurred only after applying hotfix 12.0.35 or newer.


Hotfix 12.0.42

Published: Fri, 04 Oct 2019 08:18:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - On instances with hotfix 12.0.12 or newer applied, customers with a filled in 'Tax registration ID' value were incorrectly exempt from tax for products with a tax class that had the 'Zero tax if tax ID is supplied' property disabled. Note that applying this hotfix corrects the default tax exemption, but also reverses the changes from 12.0.12 - custom tax exemptions added using an 'ICustomerTaxClassService' implementation apply only for products under a tax class with the 'Zero tax if tax ID is supplied' property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.
  • Macros - Re-signing macros in 'System -> Macros -> Signatures' resulted in an error on instances installed as 'web site' projects and on precompiled deployments. The error occurred only after applying hotfix 12.0.37 or newer.
  • User interface - Errors or "access denied" messages could occur in certain parts of the administration interface due to incorrect hash validation. For example, when attempting to edit a transformation or query from the web part properties dialog. The problem occurred only after applying hotfix 12.0.40 or newer.
  • Widgets - If the default 'Form' widget was "nested" within a custom MVC widget (displayed using the 'RenderAction' HtmlHelper method), a 404 error occurred when submitting the resulting form. The problem occurred only after applying hotfix 12.0.30 or newer.


Hotfix 12.0.41

Published: Fri, 27 Sep 2019 11:11:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - Certain mouse button actions that occurred within modal dialogs in the page builder interface could incorrectly affect the interface outside of the dialog. Specifically, the 'mouseup' and 'mousedown' mouse button events were propagated to the dialog's parent elements.
  • Users - The 'Users' application incorrectly allowed only users with the 'Global administrator' privilege level to clone users (as well as perform 'Other actions', such as exporting users). After applying the hotfix, the actions are available for all users with sufficient permissions or at least the 'Administrator' privilege level.
  • Web parts - The 'Collapsible panel' layout web part and widget did not display the image specified through the 'Collapsed image' and 'Expanded image' properties.
  • WYSIWYG editor - Editing a link to a content-only page from a different site using the WYSIWYG editor's 'Insert link' dialog incorrectly opened the 'Web' tab and displayed an external web link. After applying the hotfix, such links are correctly edited on the 'Content' tab.


Hotfix 12.0.40

Published: Fri, 20 Sep 2019 10:17:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Hotfix - Applying the hotfix database scripts resulted in an error if the target database used a different schema than 'dbo' (the default schema for Kentico databases). The error occurs for hotfixes 12.0.29 (Kentico 12 Service Pack) up to 12.0.39, and is resolved in newer versions.
  • Media library - When a file in a media library was renamed on instances running in a web farm environment, the system did not log synchronization tasks, so the file rename did not occur on other servers. The problem impacted media libraries on MVC sites, which utilize a web farm to synchronize changes to the file system of the MVC live site application.
  • MVC - Links to URLs containing a '#' fragment component (e.g. anchor links) were not handled correctly in preview mode and the page builder interface. Upon clicking, such links lead to invalid URLs, resulting in the 404 error.