Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.93

Published: Fri, 09 Apr 2021 12:05:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Localization - System emails based on the 'Membership - Change password request', 'Membership - Password reset confirmation' and 'E-commerce - Automatic registration' email templates were sent with an incorrect culture in certain scenarios. Localization macros placed into the templates were resolved into a default culture (English) instead of the user's current content culture on the site.


Hotfix 13.0.20

Published: Fri, 09 Apr 2021 08:42:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Continuous integration - If continuous integration was enabled and a site's 'Routing mode' setting was switched to a different option, an error could occur when restoring the updated 'Page URL path' objects to the database.


Hotfix 13.0.19

Published: Thu, 01 Apr 2021 08:58:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • ASP.NET Core - Automated tests created using the 'Kentico.Xperience.Libraries.Tests' NuGet package did not work in projects targeting ASP.NET Core 5. Running tests inheriting from the provided base classes, such as 'CMS.Tests.UnitTests', resulted in an error.
  • Page types - When editing a page type in the Page types application on the General tab, the default 'Small icon' and 'Large icon' images displayed after switching the 'Page type icon' property to 'Images' mode were missing.
  • Search - The 'User account for crawler' property was not displayed when editing smart search indexes of the 'Pages' type (for both Local and Azure indexes). The issue affected instances with hotfix 13.0.16 (Refresh 1) or newer applied.


Hotfix 13.0.18

Published: Fri, 26 Mar 2021 13:23:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Automated unit testing of page template filters was not possible due to internal API. Applying the hotfix makes the constructors of the 'PageTemplateDefinition' and 'PageTemplateFilterContext' classes public.
  • Caching - If a page builder widget on an ASP.NET Core site had output caching enabled (using the 'AllowCache' property of the 'RegisterWidget' attribute), and the widget's implementation was not based on a view component, an error occurred when rendering the widget in an editable area that allowed caching.
  • Email marketing - URLs generated by the 'ViewInBrowserUrl' macro that allow recipients to view marketing emails in a browser did not work when shared on certain external platforms, for example Facebook or Facebook Messenger. Opening the URL resulted in an "Access denied" error.
  • Licensing - For sites running under a Free edition license, attempting to change the 'Default content culture' on the General tab of the site editing interface resulted in an unhandled error.
  • Localization - When localizing text fields in the administration's 'Localize field' dialog, the 'Use existing resource key' option was only available for users with the Global administrator privilege level. After applying the hotfix, the option can also be used by editors with the 'Localize strings' permission for the 'Localization' module.
  • Page builder - An error occurred when adding page builder editable areas to views on an ASP.NET Core site via the 'EditableAreaAsync' extension method, if the 'EditableAreaOptions' parameter was not specified. The issue occurred only after applying hotfix 13.0.16 (Refresh 1).
  • Pages - The system did not display the page template selection dialog when creating new pages in the Pages or Products application for page types representing a product (when at least one page template was registered for these product page types).
  • Web farms - In rare cases, web farm task execution became stuck due to a deadlock that occurred during cache invalidation. This caused synchronization issues between the administration and live site applications.


Hotfix 13.0.17

Published: Fri, 19 Mar 2021 11:15:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - Setting the logging verbosity ('LogLevel' property) for the 'KenticoEventLog' application logger in ASP.NET Core projects to anything lower than 'Warning' (i.e., 'Trace,' 'Debug,' or 'Information') lead to errors when editing pages in the page builder interface.
  • Page types - When editing a page type in the Page types application on the General tab, the 'Page type icon' property was always initially displayed in 'Font icon class' mode, even if the 'Images' mode was previously selected and an image file was uploaded. This could cause users to unintentionally overwrite the icon when saving the page type properties.
  • URL rewriting & SEO - On sites that used 'Custom' routing mode, setting values without a starting slash ('/') for the 'URL pattern' of page types resulted in invalid URLs for the given pages. For example, such URLs could cause errors in the administration's page selectors. After applying the hotfix, the system automatically processes URL patterns with a starting slash if one is missing in the entered value.


Hotfix 13.0.16

Published: Tue, 16 Mar 2021 08:46:05 GMT

Hotfix 13.0.16 is the Kentico Xperience 13 Refresh 1 release, which represents a larger update than a standard hotfix and includes new features. For detailed information about the introduced changes, please refer to the Refresh release notes.
 
Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.


Hotfix 13.0.15

Published: Fri, 05 Mar 2021 16:23:07 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • URL rewriting & SEO - In certain cases, the system incorrectly returned a 404 (Not Found) error when attempting to access administration URLs ending with an extension (e.g., custom '.aspx' handlers or UI templates). The issue occurred only after applying hotfix 13.0.10 or newer.


Hotfix 13.0.14

Published: Fri, 26 Feb 2021 11:26:56 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General - The system incorrectly handled locking of zip files (for example the '\App_Themes\Default\Images\Images.zip' package), which could block certain deployment scenarios for the administration application.
  • General - The Xperience assemblies incorrectly used the specific hotfix number in their patch version, for example '13.0.10'. This could lead to compatibility problems for referencing custom assemblies and require generating of unwanted binding redirects. After applying the hotfix, the assembly version is fixed as '13.0.13', including future hotfixes.
  • Localization - If a different UI culture than English ('en-US') was selected for the administration on an ASP.NET Core site, text within the page and form builder interface was not resolved correctly in certain cases.
  • Page builder - Typing in fields within page builder properties dialogs triggered unnecessary reloads of the editing form. This could cause loss of entered text characters and other user experience issues, particularly in the case of slower connections.


Hotfix 13.0.13

Published: Fri, 19 Feb 2021 10:25:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Cultures - Switching the culture in the Pages application caused an error if the selected culture used a Presentation URL with a different domain. The problem occurred on multilingual sites where the 'URL format for multilingual sites' setting was set to 'Domain', and a matching 'Visitor culture' was assigned to one of the site's domain aliases.
  • Email marketing - The macro tree and autocomplete help incorrectly offered macros under the 'Email' entity, even when editing marketing email templates of a type other than 'Email' (Subscription, Unsubscription, Double opt-in). Such macros only resolve in the content of marketing emails based on templates of the 'Email' type, and are hidden for other templates after applying the hotfix.


Hotfix 13.0.12

Published: Fri, 12 Feb 2021 12:48:53 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - If a selector form component, for example 'Radio buttons', 'Drop-down list' or 'Multiple choice', was assigned in the code of a form field using the 'EditingComponent' attribute and one of its 'DataSource' options had an empty value, e.g., ";(none)", this option was not displayed after the resulting form was refreshed, for example when the form evaluated a visibility condition. The issue only occurred on ASP.NET Core sites.


Hotfix 13.0.11

Published: Fri, 05 Feb 2021 10:24:42 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • User interface - The calendar date and time selector in the administration interface was displayed with incorrect background styling when used to select a time range between two dates (for example when the 'From' and 'To' selector was opened above Web analytics report graphs).


Hotfix 13.0.10

Published: Fri, 29 Jan 2021 10:19:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Cultures - The culture selector in the Pages application did not display all options on sites with more than 13 assigned cultures.
  • Page builder - Custom plugins registered for the Rich text editor page builder component were ignored due to incorrect initialization.
  • Page builder - The 'Radio buttons' form component was styled and displayed incorrectly when used in a page builder configuration dialog (for example assigned as the editing component of a widget property).
  • Page builder - If long content (multiple paragraphs) was entered into the Rich text editor for the page builder, adding a new line caused the page to scroll down to the bottom of the widget content. The hotfix resolves the issue by updating the used Froala editor to version 3.2.6.
  • Page builder - Files or other resources containing a special character in their name were not loaded correctly when viewing content within the page builder interface, preview mode or the form builder in certain cases. The system incorrectly calculated the hash for the resource's URL. For example, the problem could affect files with special characters in their name added through a page builder widget using the media selector dialog.
  • Search - The 'Search fields' tab in the Page type editing interface was only available for page types that had the 'URL' feature enabled. After applying the hotfix, the search configuration is displayed for all page types that have either custom fields or the 'URL' feature. The change allows searching for page items that hold content, but do not need their own URL.
  • Unix/Linux - When accessing pages that contained resized images (e.g., from media libraries), it was possible to encounter 'System.ArgumentException: Parameter is not valid' errors when rendering certain resized images. This issue only affected Linux deployments of ASP.NET Core projects.
  • Unix/Linux - The hotfix addresses a number of filesystem-related issues encountered when hosting ASP.NET Core live site applications in Linux environments. The issues were primarily caused by a dependency on Windows-like filesystem conventions, so mostly impacted features reliant on Input/Output operations. The following is a non-exhaustive list of affected features: media library operations (insert, modify, delete), smart search (running indexing tasks, index rebuilds), web farm synchronization, scheduler functionality run on the live site. See the hotfix instructions for more information.


Hotfix 13.0.9

Published: Fri, 22 Jan 2021 15:33:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - If a product bundle was automatically added to a customer's shopping cart as part of a 'Buy X Get Y' discount, the system incorrectly inserted two of each item included in the bundle.
  • Media library - An error occurred when creating a new media library after applying hotfix 13.0.4 or newer. The problem was caused by incorrectly signed macros, and can be fixed by applying hotfix 13.0.9, or alternatively by re-signing macros in the system.
  • On-line forms - When cloning forms, the maximum length of the new form's 'DB table name' was not validated correctly and allowed values that were too long. This could lead to inconsistencies with the resulting form.


Hotfix 13.0.8

Published: Fri, 15 Jan 2021 12:30:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data engine - Changing the order of certain global objects resulted in an error after applying hotfix 13.0.7. For example, the issue could affect custom object types or custom tables with an order column.
  • Hotfix - Applying a previous version 13 hotfix to the Kentico Xperience setup files added incorrect versions of certain installation files and templates. As a result, new projects created using the hotfixed installer had an invalid database and did not work correctly To fix the problem, you need to apply hotfix 13.0.8 or newer to the setup files.
  • Marketing automation - When a marketing automation process was automatically initiated by a trigger of the 'Time-based' type, contacts going through an 'If/Else' step got stuck even though they met the step's condition. The process remained in the 'Pending' state for the contact and could not finish.


Hotfix 13.0.7

Published: Fri, 08 Jan 2021 12:20:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data engine - If a custom object type was stored outside of the default database (e.g., in a separated database for on-line marketing data), the system used an incorrect database connection when updating the order or ID path for the given objects, resulting in an error. For example, the problem occurred when displaying such objects in the administration using the UniGrid control and attempting to change the order of objects.
  • General - On ASP.NET Core sites, an instance of the 'IDataProtectionProvider' service was always required on application startup. This could cause slower application start and errors when developing isolated integration tests if a mock instance of this service was not created for every test.


Hotfix 13.0.6

Published: Fri, 11 Dec 2020 15:29:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - The cookie level of the system's 'KenticoCookiePolicyTest' cookie (used to detect the 3rd party domain blocking policy of a browser) was too high. This could result in incorrectly displayed error messages in the Xperience administration, e.g. in the page builder interface.
  • Search - Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.


Hotfix 12.0.92

Published: Fri, 11 Dec 2020 08:22:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Informative) - Possible information disclosure in form control error messages - If an error occurred when rendering a Portal Engine form control, the error message displayed on the live site included stack trace information.
  • E-mail engine - Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form correctly. For example, this could result in broken links to pages on Portal Engine sites. The issue occurred only after applying hotfix 12.0.79 or newer.
  • Search - Pages crawler search indexes did not reuse connections correctly on HTTPS sites. For example, this could cause SNAT Port Exhaustion errors to occur when rebuilding indexes on sites hosted on the Azure App Service, leading to missing page results.
  • Users - Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.


Hotfix 13.0.5

Published: Mon, 07 Dec 2020 12:03:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General - Applying hotfix 13.0.4 caused errors in the administration application and prevented the project from compiling.
  • Media library - The hotfix allows media libraries to use the direct file path in URLs when adding links to files in Xperience content (instead of permanent media file URLs). For example, direct file URLs may be desired for media files placed in external storage, such as Microsoft Azure Blob storage. The option can be configured when editing individual media libraries on the 'General' tab. The configured URL format applies when adding links to media files in the rich text editor (using the page builder widget or when editing rich text page fields) and via page fields based on the 'Media selection' form control.
  • Pages - If certain characters (for example a ` grave accent) were used in the 'URL slug' of a page, the value could no longer be changed and an error occurred when viewing the page in the administration interface and on the live site.
  • Search - Azure search indexes of the 'Pages' or 'Pages crawler' type did not update after a page included in the index was updated (and a corresponding search task was processed).
  • Users - Editing a user's memberships in the administration interface on the 'Membership' tab of the 'Users' application for a selected site incorrectly removed any memberships that the user had assigned on other sites. The problem did not occur when memberships were assigned in the 'Membership' application or automatically by purchasing a product associated with the membership.


Hotfix 13.0.3

Published: Fri, 27 Nov 2020 12:35:57 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Files - On ASP.NET Core sites, the system generated malformed links to static files displayed under preview mode (in the 'Pages' application or when viewed via a generated preview URL). The issue occurred only for files placed outside the application's web root (~/wwwroot folder). Most commonly affected were media library files, which are by default stored in a dedicated site folder outside the application's web root.
  • Localization - Localization (e.g., via the system's ResHelper class) did not work and resulted in an error in projects targeting .NET Core 5.
  • Page builder - The search in the 'Media files selector' dialog for page builder components did not work in certain browsers (for example Firefox), and the displayed media files were not filtered.
  • Page builder - The properties dialog in the page builder interface prevented 'mouseup' and 'mousedown' button events from propagating. As a result, any form components that registered listeners for such events did not work correctly in the dialog when assigned to properties.
  • Pages - On ASP.NET Core sites that used content tree-based routing, pages configured to require authentication did not redirect public visitors to the site's sign-in page. The 401 Unauthorized response was returned instead.
  • Search - Changes made to the 'Enable smart search indexing' setting ('Settings' application -> System -> Search) were only reflected after application restart.


Hotfix 13.0.2

Published: Fri, 20 Nov 2020 13:32:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - Emails sent from the 'Send email' tab in the 'Email queue' application or the 'Mass email' tab in the 'Users' application did not resolve relative virtual URLs to their absolute form in certain cases.
  • Import/Export - Disabling the 'Rebuild site search indexes' option in the 'Objects selection' step of the import wizard did not work correctly, and the option always persisted as enabled after switching to a different object category.


Hotfix 13.0.1

Published: Fri, 13 Nov 2020 17:35:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - The 'Email queue' application incorrectly required the 'Modify email queue' permission to 'Refresh' the queue. After applying the hotfix, the 'Read email queue' permission is sufficient to refresh the queue.
  • Email marketing - Added a tip box with an introduction video for the 'Email marketing' application.


Hotfix 12.0.91

Published: Fri, 06 Nov 2020 08:51:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Error messages in the administration interface vulnerable to XSS - There were several occurrences of a cross-site scripting vulnerability when the administration interface displayed an error message containing malicious user input (in object names). The issue was fixed by sanitizing special characters displayed in the error messages.
  • Form controls - Form fields on Portal Engine sites using the 'HTML5 input' form control lost CSS classes assigned through the field 'CSS styles' properties when a postback occurred on the page (for example after the form was submitted and validation failed).
  • Import/Export - When the same site was imported more than once to the same instance, the site root pages had the same values in the 'DocumentWorkflowCycleGUID' field, which could lead to errors and incorrect behavior. For example, creating new pages could result in page template retrieval errors. Applying the hotfix ensures unique GUID values for future imports, but does not fix existing sites with this issue.


Hotfix 12.0.90

Published: Fri, 23 Oct 2020 06:13:41 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Facebook integration - Due to changes in the Facebook API and related permissions, the functionality for publishing content to Facebook pages may stop working. To use the feature, you need to apply the hotfix and manually update your Facebook app. Ensure that your app has the 'pages_manage_posts', 'pages_read_user_content' and 'read_insights' permissions, upgrade the Facebook API Version to 'v8.0', and generate a new page access token for your Facebook app in Kentico.
  • Page builder - The folder tree area of the 'Media files selector' dialog for page builder components was too narrow, which could make it hard to read long or nested media folder names. The hotfix updates the design of the dialog to improve visibility in the folder tree.


Hotfix 12.0.89

Published: Fri, 16 Oct 2020 08:32:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Payments using the default PayPal provider resulted in a validation error if the order used a gift card with a value higher than the total price of all purchased items (only applies to cases where payment was still necessary after calculating the order's final price with shipping and tax).
  • E-mail engine - Cleaning of archived emails with attachment files was inefficient, and could potentially lead to timeout issues if the database contained a large number of archived emails with an attachment.
  • Marketing automation - Marketing automation processes could get stuck on 'Wait' steps and licensing errors were logged. The problem occurred in cases where the background scheduled task handling the wait step was executed in the context of a site with a license edition lower than EMS (on instances with multiple sites using different license editions).


Hotfix 12.0.88

Published: Fri, 09 Oct 2020 08:02:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Licensing - Running an MVC site with the Small Business license edition resulted in license limitation errors. After applying the hotfix, Small Business licenses support web farm synchronization and the errors no longer occur.


Hotfix 12.0.87

Published: Fri, 02 Oct 2020 09:45:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - If the system was configured to store file binary data on the file system, staging tasks did not synchronize these files for object-related meta files. For example, the problem could affect product images assigned to SKUs.


Hotfix 12.0.86

Published: Fri, 25 Sep 2020 09:14:45 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - The 'reCAPTCHA' form control and MVC form component only processed the current content culture as a 2 character ISO code, which could cause the reCAPTCHA to display in the incorrect culture. For example, the problem could occur on sites using the 'zh-HK' Chinese culture, which displayed the reCAPTCHA in the 'zh-CN' culture instead.


Hotfix 12.0.85

Published: Fri, 18 Sep 2020 10:52:15 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General export - An error occurred when using the Advanced export feature for email marketing link click statistics with the 'Export raw database data' option enabled and all data columns selected.
  • Staging - Page update staging tasks generated after adding or modifying a related page from another site did not synchronize the relationship change to target servers. After applying the hotfix, staging supports synchronization of relationships between pages on different sites.


Hotfix 12.0.84

Published: Fri, 11 Sep 2020 10:14:23 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page types - An error occurred when rolling back to a previous version of a page type with one or more child page types (i.e. page types that inherit fields).
  • Web analytics - If a web analytics log file for exit page candidates contained invalid or malformed data, processing failed and prevented logging of all web analytics statistics. After applying the hotfix, such files are deleted and processing of other analytics logs continues.


Hotfix 12.0.83

Published: Fri, 28 Aug 2020 06:58:59 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Reporting - The 'Print' functionality in the Reporting application did not work on sites with the 'Kentico CMS Base' or lower license editions.


Hotfix 12.0.82

Published: Fri, 21 Aug 2020 08:16:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Microsoft Azure - On sites hosted in Azure, an error occurred in the administration interface when viewing pages in Preview mode or the page builder for pages whose node alias path contained non-ASCII characters. The virtual context URLs used by these features had escaped characters when obtained from Azure, resulting in a non-matching hash.
  • Page builder - When caching the output of controller actions using the ASP.NET output caching, the page builder did not load in the 'Pages' application for pages displayed through the cached actions. Instead, only a preview of the cached page was displayed. This problem occurred in special scenarios, for example, when caching based on specific parameters defined in the 'VaryByParam' property.