Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.63

Published: Fri, 27 Mar 2020 09:38:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Facebook integration - Facebook authentication on Portal Engine sites did not respect the 'Require unique user emails' setting and could create user accounts with the same email address as an existing user in the system. After applying the hotfix, such conflicts result in the creation of a Kentico user account with an empty email address.
  • UI personalization - Notifications about unsaved changes did not work in the Pages application for users who had the 'Properties' tab hidden by the UI personalization feature.


Hotfix 12.0.62

Published: Fri, 20 Mar 2020 08:59:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Localization - Localizing a form's 'After the form is submitted' or 'Submit button' text using resource strings (on the 'General' tab of the form's editing interface) did not work correctly for forms displayed on MVC sites using the 'Form' widget. The live site always displayed the English version of the text instead of using the current page's culture.


Hotfix 12.0.61

Published: Fri, 06 Mar 2020 09:27:23 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - Page visit conversions for A/B tests on MVC sites were not logged correctly for sites running on a URL without a virtual directory (i.e. hosted directly in the root of an IIS website).
  • Page builder - URL values stored in the properties of page builder widgets, sections or templates (either through the property configuration dialog or an inline editor) lost their '#' fragment component after resaving the page multiple times. This could result in broken anchor links.
  • Translation services - An error occurred when creating a translation submission that contained a linked page together with the link's original page. After applying the hotfix, translation submissions filter out link duplicates and only include the original page.


Hotfix 12.0.60

Published: Fri, 28 Feb 2020 08:47:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Administrators able to edit Global administrator users - Users with the 'Administrator' privilege level were able to send requests that modified other users with the higher 'Global administrator' privilege level (this was not possible directly in the user interface). Such changes could cause the global administrator to lose their privilege level, which could also impact the live site by invalidating security-sensitive macros signed by the given administrator. This vulnerability could not be used for privilege escalation.
  • MVC - If a project used bundling for CSS files and was compiled with a 'Release' configuration (i.e. the <compilation> element's 'debug' attribute set to 'false' in the web.config file), links to assets in the CSS code (fonts, images, etc.) with a relative URL became broken when viewing pages in preview mode or the page builder interface.
  • Workflow - Selection of roles from multiple different sites did not work correctly on the 'Security' tab of workflow or marketing automation steps. Selecting roles for one site incorrectly cleared the role selection made for other sites. After applying the hotfix, the site selector no longer appears above the role listing on the Security tab, but instead is part of the role selection dialog.


Hotfix 12.0.59

Published: Fri, 21 Feb 2020 09:00:13 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If a page builder component's property (for example a widget property) used the 'Text area' editing form component, pressing the Enter key to add new lines within the resulting property configuration dialog did not work in the Firefox browser. The problem also affected any custom form components containing a 'textarea' tag.


Hotfix 12.0.58

Published: Fri, 14 Feb 2020 08:44:29 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - The system did not provide sufficient information for developers about errors originating from MVC form components when displayed as part of the widget properties dialog. After applying the hotfix, such errors are logged with full exception details into the system's event log.
  • Staging - Staging tasks generated after deleting all alternative URLs from a page on an MVC site did not work correctly (only if there were no remaining alternative URLs after the deletion). In these cases, the alternative URLs remained on target servers after synchronizing the corresponding 'Update page' staging task.


Hotfix 12.0.57

Published: Fri, 07 Feb 2020 11:28:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Continuous integration - If a website contained a very large number of pages (tens of thousands) of a certain page type, adding a new field to the page type with continuous integration enabled resulted in an SQL query that was too complex and an error occurred. After applying the hotfix, the system generates less complex queries for such scenarios, which minimizes the chance of SQL errors.
  • Web parts - The 'Custom registration form' web part did not validate the entered username value. If the specified username contained an invalid character, such as an apostrophe, an error occurred on the website.


Hotfix 12.0.56

Published: Fri, 31 Jan 2020 07:21:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - When managing products in the 'Products' application on a Portal Engine site, switching the language selector to create a new culture version of a product caused an error. The error only occurred after applying hotfix 12.0.53 or newer.


Hotfix 12.0.55

Published: Fri, 24 Jan 2020 10:50:56 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For products that were used within an existing order, deleting one culture version of the product page incorrectly disabled the 'Allow for sale' property of the given product (SKU), even if there were other culture versions. After applying the hotfix, products are disabled only if no remaining culture versions exist.
  • Form components - An error occurred when submitting an MVC form containing the 'File uploader' form component if outgoing synchronization using the integration bus was enabled.
  • Social media - Due to changes in the LinkedIn integration API, the LinkedIn company profile management functionality in Kentico did not work. After applying the hotfix, you additionally need to obtain the 'rw_organization_admin', 'r_organization_social' and 'w_organization_social' permissions for your LinkedIn app, which requires you to apply and be approved as a LinkedIn Partner. You also need to 'Reauthorize' all LinkedIn company profiles in your 'LinkedIn' application in Kentico. See the hotfix instructions for details.
  • Users - Updating or resetting user passwords on MVC sites (using Kentico's ASP.NET Identity integration) resulted in redundant database updates of the affected user object. Applying the hotfix reduces such updates, lowering the likelihood of potential database deadlocks occurring in this scenario.


Hotfix 12.0.54

Published: Fri, 17 Jan 2020 09:16:42 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If a page builder component (such as a widget) included scripts that used certain ECMAScript 5 features, an exception could occur in some scenarios when loading page builder scripts on pages containing the component. For example, the error could be encountered after installing the Kentico 'Rich text' inline editor widget. After applying the hotfix, the system no longer provides minification of page builder component scripts by default (we recommend adding custom minification of scripts in your project).
  • URL rewriting & SEO - If a site's 'Default page' setting was configured to the 'Use domain root' option, the redirect to the root did not preserve the values of any wildcard parameters contained in the home page's URL. After applying the hotfix, the domain root redirect URL includes wildcard parameters in the query string.


Hotfix 12.0.53

Published: Fri, 10 Jan 2020 15:34:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - If the 'Default cookie level' setting was lower than 'Editor', the system did not correctly set certain editor cookies for administration interface users who did not pass through the default sign-in page (for example when signing in via external claims-based authentication, Windows authentication, or directly on the live site and then accessing an administration URL). The missing cookies prevented parts of the administration interface from working correctly, such as the marketing automation and advanced workflow designer.
  • E-commerce - The 'Preview' tab for products in the 'Products' application did not work on MVC sites due to incorrectly set Content Security Policy headers. The problem occurred only after applying hotfix 12.0.29 (Service Pack) or newer.
  • Reporting - If reporting components (such as the 'DisplayReport.ascx' control) were used within custom pages, an error could occur while loading reports in certain scenarios and life cycle configurations. The errors occurred after applying hotfix 12.0.14 or newer.
  • Staging - If a user only had permissions to manage certain types of staging tasks (page, object, data), without the 'Manage all tasks' permission for the Staging module, they could not view the details of a failed task on the corresponding tab in the 'Staging' application.


Hotfix 12.0.52

Published: Fri, 13 Dec 2019 12:14:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • A/B testing - It was not possible to view A/B test details from the 'Pages' application in published projects (using the 'Manage A/B test' button).
  • Facebook integration - Due to breaking changes in Facebook's API, the Facebook Insights reporting feature in Kentico (accessible via the 'Insights' tab when editing a page in the 'Facebook' Kentico application) displayed incorrect data. Moreover, as a result of these changes, 'Page fans' Insights reports no longer chart cumulative growth, but instead report daily fluctuations.
  • Integration bus - It was not possible to view the details of failed incoming or outgoing integration bus tasks in the 'Integration bus' application. Attempts resulted in a JavaScript error being logged in the browser console.
  • MVC - The system did not provide sufficient information for developers about certain types of errors originating from MVC page builder components (widgets, sections, inline property editors, etc.). For example, no details were available for errors resulting from the Razor view code of components. After applying the hotfix, such errors are logged with full exception details into the system's event log.


Hotfix 12.0.51

Published: Fri, 06 Dec 2019 13:24:58 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - Permissions for uploading page attachments were evaluated incorrectly if the 'Insert link' or 'Insert image or media' dialog was used to upload attachments while creating a new page (before the page was saved for the first time).
  • Sites - If an instance had multiple MVC sites and their presentation URLs contained the same base domain (for example with differences in the application path, e.g. 'domain.com' and 'domain.com/appPath'), the system in certain cases incorrectly used the site running on the less specific base domain as the current site. This affected both default functionality, and the result of 'SiteContext.CurrentSite' API calls in custom code. The problem occurred only after applying hotfix 12.0.41 or newer.
  • Transformations - The 'IsLast' transformation method did not return correct values in scenarios where the data used pagination. For example, the method did not return a 'true' value when the transformation was applied to the last item displayed by the 'Repeater' web part with paging enabled.


Hotfix 12.0.50

Published: Fri, 29 Nov 2019 10:23:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Flawed MIME type validation for uploaded files - Certain locations within the system allowed uploading of files with a spoofed Content-Type that did not match the file extension, which could lead to XSS vulnerability.


Hotfix 12.0.49

Published: Fri, 22 Nov 2019 10:54:51 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - When the 'CultureSiteInfoProvider.IsSiteMultilingual' API method was called for the first time for a site, it always returned a false result (subsequent calls worked correctly).
  • Campaigns - If a conversion was set for a campaign with the "any" option selected in the configuration (for example a 'Subscription to a newsletter' conversion for 'Any' newsletter), the contact demographics detailed report for the given conversion displayed empty data.
  • URL rewriting & SEO - In certain cases, the system redirected requests to an incorrect domain URL. For example, if a site used HTTPS URLs, enforcement of separate domains for cultures, and had a domain alias with a specified 'Visitor culture', the wrong language version was displayed when a page was accessed under the culture-specific domain. The problems occurred only after applying hotfix 12.0.35 or newer.


Hotfix 12.0.48

Published: Fri, 15 Nov 2019 11:21:52 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Moderate) - Virtual context URLs leak via the HTTP Referer header - URLs pointing to third party domains leaked virtual context information via the HTTP Referer header. This occurred, for example, when a user editing an MVC page in the page builder clicked on a link or displayed an image loaded from a third party domain. The workaround for this issue is to add the 'meta referrer' tag to the HTML output of your MVC pages, i.e. set: <meta name="referrer" content="origin">.
  • URL rewriting & SEO - If a Portal Engine site had a domain alias with a 'Redirect URL' value containing the '{%protocol%}' macro, the redirection did not work correctly for URLs using the 'https' scheme.


Hotfix 12.0.47

Published: Fri, 08 Nov 2019 12:40:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - When viewing pages on MVC sites through a preview URL (generated in the Pages application on the 'Properties -> General' tab), links to other pages incorrectly preserved the preview mode and the generated user context. After applying the hotfix, the 'href' attributes of such links no longer contain preview URLs and the links instead open the live site version of the targeted page.
  • MVC - The administration interface URLs internally used in the Pages application for the preview and page builder editing mode of pages on MVC sites incorrectly had unlimited validity. After applying the hotfix, these URLs contain a timestamp parameter and expire after 8 hours by default. The expiration time can be adjusted by setting the 'CMSPreviewLinkExpiration' key to a specific number of minutes in the web.config file of the Kentico administration application.


Hotfix 12.0.46

Published: Fri, 01 Nov 2019 09:44:33 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General - The 'Kentico.Libraries' NuGet package contained unnecessary libraries (CMS.Synchronization.WSE3.dll, Microsoft.Web.Services3.dll and DotNetOpenAuth.dll). The libraries are no longer present after updating the package to version 12.0.46 or newer.


Hotfix 12.0.45

Published: Fri, 25 Oct 2019 09:07:16 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The 'U.S. phone number' form component did not correctly format United States phone numbers and logged errors into the browser console when rendered as part of a form.
  • Search - The system ignored search settings for page fields storing the content of widgets and editable regions ('DocumentContent' and 'DocumentWebParts'), which can be customized in the 'Modules' application -> 'E-commerce' -> 'Classes' tab -> 'SKU' -> 'Search' tab.
  • WYSIWYG editor - If a link was created in page content using the editor and a '#' fragment component (e.g. anchor link) was manually added and saved to the URL, the fragment component was ignored when opening the link dialog again and lost upon subsequent save.
  • WYSIWYG editor - Links created using the editor were generated incorrectly if the link target was a page on a different Portal Engine site. The problem occurred only after applying hotfix 12.0.41 or newer.


Hotfix 12.0.44

Published: Fri, 18 Oct 2019 10:51:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - The system processed page URLs inefficiently when listing items in page selector dialogs (e.g., when copying, moving or linking pages), which could lead to performance issues. For example, such issues could occur on MVC sites if the pages listed in the dialog had URL patterns containing resource-intensive macros.
  • General - If an MVC website was disabled by adding an 'App_Offline.htm' file to the project root, every request unnecessarily triggered initialization of the Kentico application (leading to redundant 'APPSTART' events in the system event log).
  • Page builder - Users with limited permissions were not able to create MVC pages with page builder support (i.e. page types with the 'Use Page tab' option enabled) in certain scenarios. An "Access is denied" error occurred if the user had sufficient permissions only for the content tree sub-section where the page was being created, but not for all parent pages.
  • Users - The newsletter subscriptions listed in the 'Users' application on the 'Subscriptions' tab of a selected user were not correctly updated after the user unsubscribed from a newsletter.


Hotfix 12.0.43

Published: Fri, 11 Oct 2019 12:26:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - If the value of an MVC widget property contained URLs in virtual relative format, and the property was edited and displayed using an inline editor, the URLs were not resolved correctly within the page builder interface (on the 'Page' tab of the Pages application). URLs within content on the live site were not affected and remained functional.
  • Search - The 'Optimize local search indexes' scheduled task did not work.
  • URL rewriting & SEO - Scenarios where a custom event handler was used to set the 'RequestContext.IsSSL' property did not work correctly (for example when handling HTTPS requests in environments with a reverse proxy server and TLS/SSL acceleration). The problem occurred only after applying hotfix 12.0.35 or newer.


Hotfix 12.0.42

Published: Fri, 04 Oct 2019 08:18:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - On instances with hotfix 12.0.12 or newer applied, customers with a filled in 'Tax registration ID' value were incorrectly exempt from tax for products with a tax class that had the 'Zero tax if tax ID is supplied' property disabled. Note that applying this hotfix corrects the default tax exemption, but also reverses the changes from 12.0.12 - custom tax exemptions added using an 'ICustomerTaxClassService' implementation apply only for products under a tax class with the 'Zero tax if tax ID is supplied' property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.
  • Macros - Re-signing macros in 'System -> Macros -> Signatures' resulted in an error on instances installed as 'web site' projects and on precompiled deployments. The error occurred only after applying hotfix 12.0.37 or newer.
  • User interface - Errors or "access denied" messages could occur in certain parts of the administration interface due to incorrect hash validation. For example, when attempting to edit a transformation or query from the web part properties dialog. The problem occurred only after applying hotfix 12.0.40 or newer.
  • Widgets - If the default 'Form' widget was "nested" within a custom MVC widget (displayed using the 'RenderAction' HtmlHelper method), a 404 error occurred when submitting the resulting form. The problem occurred only after applying hotfix 12.0.30 or newer.


Hotfix 12.0.41

Published: Fri, 27 Sep 2019 11:11:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Page builder - Certain mouse button actions that occurred within modal dialogs in the page builder interface could incorrectly affect the interface outside of the dialog. Specifically, the 'mouseup' and 'mousedown' mouse button events were propagated to the dialog's parent elements.
  • Users - The 'Users' application incorrectly allowed only users with the 'Global administrator' privilege level to clone users (as well as perform 'Other actions', such as exporting users). After applying the hotfix, the actions are available for all users with sufficient permissions or at least the 'Administrator' privilege level.
  • Web parts - The 'Collapsible panel' layout web part and widget did not display the image specified through the 'Collapsed image' and 'Expanded image' properties.
  • WYSIWYG editor - Editing a link to a content-only page from a different site using the WYSIWYG editor's 'Insert link' dialog incorrectly opened the 'Web' tab and displayed an external web link. After applying the hotfix, such links are correctly edited on the 'Content' tab.


Hotfix 12.0.40

Published: Fri, 20 Sep 2019 10:17:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Hotfix - Applying the hotfix database scripts resulted in an error if the target database used a different schema than 'dbo' (the default schema for Kentico databases). The error occurs for hotfixes 12.0.29 (Kentico 12 Service Pack) up to 12.0.39, and is resolved in newer versions.
  • Media library - When a file in a media library was renamed on instances running in a web farm environment, the system did not log synchronization tasks, so the file rename did not occur on other servers. The problem impacted media libraries on MVC sites, which utilize a web farm to synchronize changes to the file system of the MVC live site application.
  • MVC - Links to URLs containing a '#' fragment component (e.g. anchor links) were not handled correctly in preview mode and the page builder interface. Upon clicking, such links lead to invalid URLs, resulting in the 404 error.


Hotfix 12.0.39

Published: Fri, 13 Sep 2019 10:10:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - On Portal Engine sites using claims-based (WIF) authentication, URL query string parameters were lost when a user accessed a secured page, was redirected to sign in via the external identity provider, and then returned after successful authentication. After applying the hotfix, handlers of the 'SecurityEvents.AuthenticationRequested' global event include the full query string within the event arguments that provide the redirection URL.
  • Form builder - Globally enforcing authorization over the entire MVC front-end (using the 'Authorize' attribute) resulted in errors when accessing the 'Form builder' tab of the 'Forms' application in the administration interface.
  • Form components - After uploading a file into an MVC form field using the 'File uploader' form component, attempts to delete the file before submitting the form failed and resulted in an error.
  • URL rewriting & SEO - If an external redirect was configured for the Kentico application (e.g., via IIS or the 'hosts' file) and the 'Force domain culture' setting was enabled, but the destination domain was not configured for the target site on the 'Domain aliases' tab in the 'Sites' application, attempting to access the site resulted in an uncaptured .NET error message being displayed to the visitor instead of the system error page.


Hotfix 12.0.38

Published: Fri, 06 Sep 2019 10:35:39 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - When using the 'Kentico.Libraries.Tests' NuGet package to create automated tests, an error occurred when running tests if the 'NUnit' dependency package was manually updated to version 3.10 or newer. After applying the hotfix and updating the 'Kentico.Libraries.Tests' package to 12.0.38 or newer, tests are compatible with newer versions of the 'NUnit' package.
  • Form controls - The 'Form field selector' form control did not work correctly. The control always saved the first field of the chosen form, regardless of the actual field selection in the second drop-down list.
  • Licensing - For instances with the Kentico 12 Service Pack applied (hotfix 12.0.29 or newer), a licensing error occurred on pages created using the MVC page builder if the site's license edition was lower than EMS.
  • Macros - Macro expressions where multiple chained methods modified the data of an object collection did not work correctly in certain cases. For example, if a collection was first modified by the 'Filter' method and then the 'OrderBy' method was added, the original filtering was not applied to the resulting data.
  • On-line forms - If a form on an MVC site contained a field using the 'File uploader' form component, an error occurred on the form's 'Code' tab in the 'Forms' application. It was not possible to generate item and provider code for the given form.
  • Users - If the 'Use site prefix for user names' setting was enabled, the system did not send notification emails to users whose account was locked due to password expiration or reaching the limit of invalid sign-in attempts. As a result, users could not access the password change or account unlock link in the email.


Hotfix 12.0.37

Published: Fri, 30 Aug 2019 10:29:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Unrestricted file upload in MVC forms - For files uploaded through forms on MVC sites using the 'File uploader' form component, it was possible to change the recorded original file name on subsequent requests after the initial upload was successful. This allowed upload of any file types to the system. Only users with the 'Read data' permission for the 'Forms' module were able to access these files.
  • Licensing - Re-signing macros in 'System -> Macros -> Signatures' could lead to licensing errors in the event log and invalid macros (for macro expressions related to features for which the instance's current license edition was insufficient).
  • On-line forms - Form fields using the 'File uploader' form component on MVC sites worked incorrectly with form notification emails. Such fields did not display the name of the uploaded file in the email content and the submitted files were not included as email attachments.
  • On-line forms - Forms created using the MVC form builder did not display validation error messages correctly in certain scenarios. If a form was submitted and validation error messages were displayed, these messages disappeared when the form was refreshed (for example after further input triggered re-evaluation of a field's visibility condition).
  • Staging - On instances with multiple target staging servers, synchronization tasks were incorrectly deleted in certain scenarios. When synchronizing tasks to all servers (with the '(all)' option selected in the server selector), tasks were fully deleted for all servers even if the synchronization was only successful for one of the servers.


Hotfix 12.0.36

Published: Fri, 23 Aug 2019 08:22:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - It was not possible to select or drag and drop media files from the file system after opening the media files selector modal dialog. The problem occurred when the 'allowedExtensions' property was not specified in the 'options' parameter object of the 'modalDialog.mediaFilesSelector.open(options)' function.
  • Modules - The 'Parent object type' property of the 'Roles' application's 'Edit role' UI element was incorrectly set to 'A/B test (om.abtest).' This could have caused errors when adding child UI elements to the 'Edit role' element. Applying the hotfix sets the 'Parent object type' property to '(automatic).' Note that this will also overwrite any customizations made to the 'Edit role' element in your project.
  • Web parts - Layout web parts located in a hidden web part zone were completely invisible in the editing interface. The editing handle of such web parts was hidden, and it was not possible to edit them.


Hotfix 12.0.35

Published: Fri, 16 Aug 2019 08:46:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - In certain cases, when utilizing the web part-based checkout process on Portal Engine sites, a previously selected shipping option incorrectly persisted over multiple orders, even though the orders did not contain any shippable items. Furthermore, when using custom shipping carrier providers, removing all shippable items from an order after a shipping option has been selected resulted in an error in certain cases.
  • E-commerce - The 'Customer detail' web part did not validate the uniqueness of entered email addresses for signed-in users. If the entered email address was already registered in the system (e.g., by another user), this could have resulted in two users with identical addresses (due to the way the system merged the submitted information with the internal user object).
  • General - When the Kentico application was running behind a proxy server or some other service that masks the application's original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the 'CMSUrlHost' web.config key (added by the hotfix) to the 'host' component of the proxy server's URL to ensure the application correctly generates request URLs. Please note that this configuration currently applies only for Portal Engine projects. See the hotfix instructions for more information.
  • MVC - Installing or updating the 'Kentico.AspNet.Mvc' NuGet package added an empty 'CMSConnectionString' <add> element to the 'connectionStrings' section in the web.config file, if it was not already present. This could cause errors in certain scenarios, for example when using an external connection string file specified via the 'configSource' attribute. The same problem could occur also for the 'appSettings' section with specified 'configSource', where the NuGet installation was adding the 'CMSHashStringSalt' app setting. Versions 12.0.35 and newer of the package no longer add the empty 'CMSConnectionString' and 'CMSHashStringSalt' elements when the 'configSource' attribute is present in their parent section.
  • In case of external config sources, developers need to manually specify the 'CMSConnectionString' connection string and the 'CMSHashStringSalt' app setting in the external config files.
  • Web farms - In special cases, the system accumulated redundant records by repeatedly failing to delete the records from the 'CMS_WebFarmTask' database table.


Hotfix 12.0.34

Published: Fri, 09 Aug 2019 11:14:26 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - When using the 'Image selection' and 'Media selection' form controls for the fields of pages under workflow, validation of the fields was executed incorrectly in certain cases. For example, if the field was set as required after an existing page was already published, the validation prevented users from subsequently creating a new version of the page.
  • Users - Kentico's ASP.NET Identity integration for MVC projects was tightly coupled with the default 'Kentico.Membership.User' class. Any changes to the 'User' class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the 'KenticoUserManager', 'KenticoUserStore', and 'KenticoSignInManager' types, which allow developers to seamlessly integrate custom user types derived from the default 'Kentico.Membership.User' class. See the hotfix instructions for more details.