Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.19

Published: Thu, 18 Apr 2019 09:43:43 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - When a page with an associated SKU was under a workflow, modified fields of the SKU that contained ID values (such as the 'SKUDepartmentID' field) were not staged correctly if the IDs were different between the staging servers, but the 'NodeSKUID' field was identical.


Hotfix 12.0.18

Published: Fri, 12 Apr 2019 08:54:30 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • On-line forms - When editing forms on a Portal Engine site via the 'Form builder' tab in the 'Forms' application, removing or cloning of fields did not work if the field's 'Label' value contained an apostrophe (single quote) character.


Hotfix 10.0.52

Published: Wed, 10 Apr 2019 09:03:20 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.17

Published: Fri, 05 Apr 2019 12:23:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - For users with an associated customer, setting the 'First name', 'Last name' or 'Email' property to an empty value incorrectly cleared the corresponding value for the customer entity. These are required fields for customers, so this type of synchronization caused an invalid state. After applying the hotfix, only non-empty name and email values are synchronized from users to customers.
  • Form builder - The 'FormFieldRenderingConfiguration.GetConfiguration' event added as part of the form builder markup customization API introduced in hotfix 12.0.14 was incorrectly invoked in certain scenarios. After applying the hotfix, the event is only triggered for forms rendered by the 'Form' widget. All documented customization scenarios remain unaffected.
  • Form controls - The 'Uni selector' form control did not save selected items correctly if the returned value (determined by the control's 'Return column name' setting) contained special characters. The problem occurred in selection modes that utilize a dialog, such as 'Multiple'.
  • Macros - If an email widget property used the 'Macro editor' form control, context specific objects were not available in the macro autocomplete feature and 'Insert Macro' dialog. It was still possible to enter such objects manually.


Hotfix 11.0.48

Published: Thu, 04 Apr 2019 14:17:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes


Hotfix 12.0.16

Published: Fri, 29 Mar 2019 07:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The 'ResourceStringInfoProvider.TranslationExists' method returned an incorrect result in certain cases (after the system's cache was cleared).
  • Campaigns - When running a campaign on an MVC site, the value of the 'utm_content' parameter used in the campaign's links was not logged correctly for conversions or displayed in the campaign's reports.
  • Dialogs - When calling the 'modalDialog' JavaScript function in custom client code within the administration interface, the function's 'otherParams' parameter was ignored in certain cases (in locations where the system opened an advanced modal dialog). As a result, developers could not control parameters such as the resizability of the opened dialog.
  • Page builder - When using custom form components in the configuration dialog for page builder widget properties, scrolling functionality was incorrectly disabled. As a result, form components with scrollable elements (e.g. advanced drop-down options) did not work when used to edit widget properties.


Hotfix 12.0.15

Published: Fri, 22 Mar 2019 09:58:05 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Critical) - Unauthenticated Remote Code Execution through .NET object deserialization in staging service - Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted. The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
    1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
    2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
    3. 'Save' the changes
  • E-commerce - If the product variant editing form (i.e. the 'Variant properties' alternative form of the 'SKU 'class) was customized to display the 'Image' field (SKUImagePath), the field's default 'Product image selector' form control did not correctly save information about uploaded image metafiles. This resulted in incorrect behavior, for example when displaying or staging the variant and its image.
  • Form controls - The 'SKU selector' form control did not work if its 'Allow multiple choice' setting was enabled.
  • General - Processing of requests containing a query string parameter without a value, such as '?param', could result in an error in certain scenarios. For example, the errors could occur for requests that loaded files and other resources.
  • General export - When using the Advanced export feature for contacts in the 'Contact groups' application with the 'Export raw database data' option selected, it was not possible to select custom contact fields for the export.
  • Web parts & controls - An error occurred when attempting to select a file in the 'Linked file' property of the 'Javascript' web part if another file was already specified.


Hotfix 12.0.14

Published: Fri, 15 Mar 2019 13:59:03 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - The hotfix introduces additional API that enables more extensive markup customization options for forms built using the 'Form builder' feature. See the hotfix instructions for details.
  • Pages - When deleting a linked page from the content tree in the 'Pages' application, it was not possible to select an alternative page to which old URLs could be redirected.
  • Reporting - If a report had parameters with defined validation rules, the validation did not work when the report and its parameter filter were displayed on a website page using a reporting web part or widget.
  • Web parts - Tabs displayed by the 'Tabs layout' web part were not hidden correctly in certain cases when their content was empty, even when the web part's 'Hide empty tabs' property was enabled. For example, the problem occurred if a tab contained a Repeater web part with an empty data source and the 'Hide if no record found' property enabled.


Hotfix 12.0.13

Published: Fri, 08 Mar 2019 09:47:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Event management - All event attendees stored for an event, represented as a page of the 'Event (booking system)' page type, were removed when one of the page's culture versions was deleted. After applying the hotfix, event attendees are removed only after the deletion of the event's last remaining culture version.
  • Form builder - The system allowed invalid characters as part of the 'Name' property of form fields (adjustable via the Properties tab of the MVC Form builder). After applying the hotfix, the 'Name' property must begin with a letter or an underscore ('_') character and may contain only letters, numbers, and additional underscore characters.
  • MVC - When publishing an MVC live-site application (e.g., via the Visual Studio 'Publish' wizard), the publishing process did not copy certain .NET Resource (.resx) files. This resulted in unresolved resource strings in parts of the published application. The problem occurred when using versions 12.0.1 to 12.0.12 of the 'Kentico.AspNet.Mvc' NuGet package. From package version 12.0.13, all necessary resource files are copied during the publishing process.
  • MVC - If an MVC widget or form component was registered with an identifier containing a certain suffix (e.g. matching a blocked IIS extensions such as '.resources' or '.sitemap'), an error occurred when the item was added to the page or form builder.
  • REST - Authentication of requests to the Kentico REST service failed if the provided password contained the colon character (':').
  • Web analytics - The 'Seznam' search engine defined in the 'Search Engines' application had an obsolete domain configured in its 'Domain rule' property. As a result, visitors from the Seznam search engine (seznam.cz) were not being tracked accurately. After applying the hotfix, the system correctly tracks all visitors that access a site from the 'Seznam' search engine.


Hotfix 12.0.12

Published: Fri, 01 Mar 2019 12:19:32 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - If a tax exemption for customers was created by registering a custom 'ICustomerTaxClassService' implementation, it was only applied for products with a tax class that had the 'Zero tax if tax ID is supplied' property enabled. After applying the hotfix, the property no longer affects custom tax exemptions (unless checked in the code of the custom implementation).
  • Email marketing - The system did not send confirmation emails to recipients who unsubscribed from a single email feed of the 'Email campaign' type. Additionally, confirmation emails were incorrectly sent in certain cases after unsubscribing from all email feeds (email campaigns and newsletters), which is not intended behavior.
  • Form components - The hotfix removes the 500 character restriction placed on the 'Text area' form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. However, note that this change is only reflected in form fields created after the hotfix was applied. See the hotfix instructions for details.
  • Page builder - Calling the 'GetPage' method in the Index action of an MVC widget without any properties defined resulted in an error when the widget was displayed.


Hotfix 12.0.11

Published: Fri, 22 Feb 2019 12:33:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form controls - A validation error occurred when attempting to save a field with the 'Form field selector' form control if the control's 'Field data type' setting was set to the 'All' option.
  • MVC - Page builder and preview functionality did not work on pages whose controller and action was accessed through another action using an MVC redirect method (for example 'RedirectToAction').
  • Page builder - Widgets or sections that utilized actions other than 'Index' (for example the submit action of the default 'Form' widget) did not work correctly in certain scenarios. The problem could occur if the MVC application's route collection did not contain a general route with a controller and action parameter, or if a different route with a custom controller and the 'Index' action matched the page builder URLs.
  • URL rewriting & SEO - If the default CSRF security token functionality was disabled using the 'CMSEnableCsrfProtection' web.config key, custom 404 error handling pages assigned through the 'Page not found URL' setting were not displayed when a POST request targeted a non-existing URL (by default the standard IIS 404 page was displayed instead).


Hotfix 12.0.10

Published: Fri, 15 Feb 2019 10:46:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • MVC - After installing or updating the 'Kentico.AspNet.Mvc' NuGet package, the 'CMSApplicationModule' module in the MVC project's web.config file did not contain the 'preCondition' attribute, which could have a negative performance impact on the application. Versions 12.0.10 and newer of the package ensure that the preCondition is correctly set to 'managedHandler'.


Hotfix 12.0.9

Published: Fri, 08 Feb 2019 09:09:31 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Products that use inventory tracking and have the 'Sell only if items available' property enabled may in some cases be sold even when the inventory is depleted if multiple customers place orders concurrently. After applying the hotfix, the system logs a warning into the event log if such a situation occurs. Additionally, the hotfix introduces the 'CMSUseStrictInventoryManagement' web.config key, which you can enable to prevent the system from creating such orders. If you enable the key and have an MVC site or Portal Engine site with custom checkout components, you need to ensure that your custom code handles the resulting 'InvalidOperationException' and displays appropriate information to customers.
  • General - Processing of requests to virtual paths defined by the Microsoft ASP.NET Web Optimization Framework, such as JavaScript or CSS bundles, resulted in an error (null reference exception). The errors occurred only for requests handled by the Kentico web project (not in MVC applications using the Kentico API).
  • Search - A move operation on a subset of pages under an Azure search index redundantly updated all pages in the corresponding index. This could result in very long indexing operations on sites with a large number of indexed pages.
  • Staging - If multiple staging tasks were synchronized in a single batch, and the synchronization failed for one or more of the tasks, the entire batch remained in the task list (including tasks that were already successfully processed).


Hotfix 12.0.8

Published: Fri, 01 Feb 2019 12:29:18 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Dialogs - When selecting or uploading an image file in certain types of media selection dialogs (for example in a page field using the 'Media selection' form control), resizing of the image with a locked aspect ratio did not work correctly.
  • Personas - The system did not allow users to manually recalculate a persona after a new rule was added for the persona in the 'Personas' application.
  • Search - The 'DataItemCount', 'IsFirst()' and 'IsLast()' transformation property and methods did not work correctly for data returned by the smart search (for example in transformations used by the 'Smart search results' web part). After applying the hotfix, the property and methods return the correct values for the currently displayed page of results.
  • Staging - Synchronizing pages with an associated product (SKU) could break the relationship between the page and the product on the target server (in cases where the IDs of the given SKU were different between the staging instances).
  • Staging - When a page with an associated SKU was synchronized with the 'Publish from' field set to a future date, fields of the SKU were not staged correctly (except the name and description fields).


Hotfix 12.0.7

Published: Fri, 25 Jan 2019 14:30:02 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form components - The 'DefaultValue' property of the 'EditingComponent' attribute did not initialize form components (e.g., in forms or widget properties dialogs) with the specified default value. After applying the hotfix, the 'DefaultValue' property correctly sets a form component's default value when necessary.
  • User interface - The 'Order by' property of the 'Selector' UI web part did not work, and also could not be set through the properties of UI elements that used the 'Listing with general selector' page template. After applying the hotfix, custom UI elements based on this template can now have their selector order by value configured through a new property.


Hotfix 12.0.6

Published: Fri, 18 Jan 2019 12:14:01 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data protection - When erasing personal data from the system in the 'Data protection' application on the 'Right to be forgotten' tab, data subject identifiers (e.g. an email address) that contained certain special characters, such as '+', were not processed correctly, which could result in data not being removed.
  • MVC - If the page builder was initialized in a controller of a page located in an MVC Area, an error was displayed instead of the content on the live site and when previewing the page.
  • Page types - The 'Default value' of page type fields was always loaded in the editing form, even for existing pages that had a different value specified. Saving such forms could cause users to make unintended changes in the page data. The problem was introduced by applying hotfix 12.0.5. However, applying hotfix 12.0.6 reverts an older bug fix, and prevents the default value from being applied for the following system page fields: DocumentInheritsStylesheet, DocumentShowInSiteMap, DocumentMenuItemHideInNavigation, DocumentIsArchived, DocumentUrlPath, DocumentWildcardRule and DocumentPriority.
  • Page types - If an existing page type inherited fields from another page type, and a new field or category was added to the parent, the position of the new field in the inherited type could be incorrect (the order was not adjusted according to the inherited type's own additional fields). After applying the hotfix, such new fields are always added directly below the inherited field that precedes the new field in the parent page type.
  • Workflow - When multiple content editors attempted to save pages under a workflow in the Pages application, a deadlock could occur in certain cases.


Hotfix 11.0.47

Published: Fri, 11 Jan 2019 12:58:06 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.
  • E-commerce - Applying hotfix 11.0.39 or newer introduced a change in the e-commerce API, which could cause undetected broken functionality for sites with a customized tax calculation process. After applying hotfix 11.0.47, such cases now clearly result in a runtime and compilation error. Any custom code that prepares 'TaxCalculationResult' objects can no longer use the setter of the 'TotalTax' property, and must instead set the new 'ItemsTax' and 'ShippingTax' properties.


Hotfix 12.0.5

Published: Fri, 11 Jan 2019 11:53:00 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - The 'Process domain prefix' setting was not taken into account when tagging links in marketing emails with UTM parameters. If the domain prefix in an email link's URL was different from the prefix in the main domain set for the site, the given link was not tagged with the specified UTM parameters.
  • Import toolkit - The Import Toolkit utility did not reflect application keys in the web.config file of the related Kentico project. For example, this caused incorrect behavior when importing data with continuous integration enabled and a custom repository path configured in the target project's web.config. Additionally, serialization of continuous integration data was incorrectly performed when running a simulated import of data in the utility. To fix the issues, the hotfix must be applied to the Setup files (switch to advanced mode in the hotfix utility).
  • MVC - If an MVC site was configured to convert URLs to lower case (by setting the 'RouteCollection.LowercaseUrls' property to true in the code of the related MVC project), errors occurred in certain parts of the page builder and form builder interface, for example the widget property configuration dialog.
  • Page types - If a macro expression was added into the 'Default value' of a page type field with the 'Required' flag enabled, certain types of macros, for example {% EditedObject %}, were not evaluated correctly and returned a null value when creating new pages of the given type.
  • Scheduler - The external Windows service for running scheduled tasks did not release allocated memory correctly in certain cases, which resulted in high memory consumption.
  • Search - Created Azure search indexing tasks were processed synchronously, which could result in an unresponsive user interface (e.g., when manipulating indexed pages in the content tree). After applying the hotfix, created Azure search tasks are processed asynchronously in one-minute intervals (if not customized otherwise).
  • Web parts - The 'Users data source' web part did not order data correctly if the 'ORDER BY condition' property contained multiple columns with different order directions (ASC or DESC keywords). The last order keyword was incorrectly used for all columns.


Hotfix 12.0.4

Published: Fri, 04 Jan 2019 11:43:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Licensing - A license limitation error was logged for license editions lower than EMS when working with MVC widgets in the page builder. After applying the hotfix, such errors only occur if there are personalization condition types registered in the system (which require an EMS license).
  • Search - Updating or assigning page categories caused indexing tasks for Azure indexes of the 'Pages' type to fail if the index was newly created and not yet rebuilt, or if the subset of the content tree to be indexed, as specified on an index's 'Indexed content' tab, did not yet contain any pages.


Hotfix 12.0.3

Published: Fri, 21 Dec 2018 15:20:16 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system disregarded all multi-factor authentication validity interval customizations (via overriding the 'ClockDriftTolerance' property).
  • Chat - The 'Chat support request' web part did not render correctly in certain cases (e.g., on 404 error pages).
  • Email marketing - When sending newsletters, the "License for feature 'NewsletterABTesting' not found" error was logged in the event log and the newsletters were not sent on sites with lower than EMS licenses.
  • Search - When indexing page attachments, errors caused by invalid Unicode surrogate pairs in PDF files terminated the indexing operation. Since such invalid surrogate pairs can occur in otherwise valid PDF files, the pairs are now stripped during the indexing process.
  • Staging - When an advanced workflow containing an asynchronous step (e.g., the 'Wait' or 'Send email' step) was applied to a page in a staging environment, changes to the page past the asynchronous step were not logged into the selected staging task group.


Hotfix 12.0.2

Published: Fri, 14 Dec 2018 13:21:35 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Contact management - When setting the 'Subsidiary of' field on the 'General' tab of an account in the 'Contact management' application, the system did not preserve the account selection if the parent account was selected via the '(more items…)' dialog window.
  • Groups - When accessing forum groups belonging to a specific group on the 'Forums' tab of the 'Group' application, more strict permissions than necessary were required.
  • Licensing - Certain operations with products could lead to SQL deadlock errors on sites with the 'Kentico CMS Base' or lower license editions.
  • Search - When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message contains the ID and name of the attachment causing the exception.
  • Web parts - The 'ORDER BY expression' field was not taken into account when displaying related pages using the 'Repeater' web part. The default order of the related pages was always displayed.


Hotfix 11.0.46

Published: Fri, 14 Dec 2018 12:45:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.
  • Search - When indexing page attachments, errors caused by malformed attachment content (e.g., invalid Unicode characters) displayed insufficient debugging information. After applying the hotfix, the error message now contains the ID and name of the attachment causing the exception.


Hotfix 12.0.1

Published: Fri, 07 Dec 2018 11:29:21 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - On Kentico EMS instances hosting multiple sites, subscriber data was processed incorrectly when automatically merging contacts who subscribed to newsletters from different sites. This could lead to marketing emails not being sent to subscribers and loss of subscriber data in some cases.
  • Event log - When logging new events into the event log, the system did not delete old events according to the limit specified in the 'Event log size' setting.
  • On-line Marketing - Activities of the 'Form submission' type were logged with an incorrect 'Activity URL' value on content-only (MVC) sites. After applying the hotfix, such activities are logged with the URL of the page displaying the given form.


Hotfix 11.0.45

Published: Fri, 23 Nov 2018 09:57:37 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Data protection - The 'Contact has agreed with consent' macro rule was not evaluated correctly in certain types of conditions (for example in marketing automation process triggers), and always returned a false value.
  • E-commerce - When writing custom code that obtained a shopping cart object for an existing order using the 'ShoppingCartInfoProvider.GetShoppingCartInfoFromOrder' method, the cart's 'OrderDiscount' property was not set and always returned 0 (until the shopping cart was recalculated by calling its 'Evaluate()' method).
  • Form controls - If certain drop-down selector form controls (e.g. the 'Uni selector' in 'Single drop down list' selection mode) were placed into a form that was displayed in a dialog, such as the web part configuration dialog, and the field's settings also used an 'Enabled condition', clicking the '(more items...)' option in the list did not work correctly and the additional selection dialog was not opened.


Hotfix 11.0.44

Published: Fri, 16 Nov 2018 09:24:22 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - An error occurred on pages that displayed product details using an ASCX transformation containing the 'ShoppingCartItemSelector' control, if the control's 'UnavailableVariantInfoEnabled' property was enabled and the displayed product did not have any defined variants.
  • Facebook connect - Authentication failed when signing in to a website through the 'Facebook Connect logon' web part (a JavaScript error occurred due to changes in the Facebook SDK).
  • Import/Export - When importing a page type or custom table on an instance where the given object did not exist yet, role permissions configured for the page type or custom table were not imported.


Hotfix 11.0.43

Published: Fri, 09 Nov 2018 10:05:56 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • General export - When using the general export feature of listings in the administration interface (export to Excel, CSV or XML files), text data containing special characters, such as diacritics, could be malformed in the exported files.
  • Import/Export - If the 'Membership reminder', 'Report subscription sender' or 'Users delete non activated user' scheduled tasks were imported within a package from an older version, the given tasks could not be executed due to an incorrect assembly and class name.
  • Pages - Attempting to publish a page under a workflow after restoring it from the recycle bin worked incorrectly. This happened only if the workflow was applied to an existing page after its creation.
  • Search - Local search indexes did not work when running Kentico as a scaled out Azure Web App with the 'CMSSharedFileSystem' web.config key enabled (this key was introduced in hotfix 11.0.23).


Hotfix 11.0.42

Published: Fri, 02 Nov 2018 08:56:40 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - Certain macros related to email marketing did not take A/B testing variants of emails into account. For example, this could lead to incorrect evaluation of conditions that used the "Contact has opened marketing email" macro rules.
  • MVC - Output caching did not work correctly on the pages of MVC sites for registered users due to unnecessary cookie operations performed by the system. The problem affected users whose 'Preferred user interface culture' was set to '(default)', for example newly registered users.
  • Pages - If a multilingual page used an ad-hoc page template shared by all culture versions, deleting a culture version of the page also permanently deleted the page template (this caused the remaining culture versions to display blank content). After applying the hotfix, templates shared by multiple culture versions are deleted only after deleting the last culture version of a page.
  • Pages - A warning message about not saved changes was displayed after editing and saving a page field using the 'Uni selector' form control (on the Form or Content tab of the Pages application). The warning message was displayed even when all changes were correctly saved.
  • Search - On sites using an Azure Search index, updating a page that had the 'Exclude from search' option enabled (on the 'Properties -> Navigation' tab of the Pages application) resulted in a failed indexing task, which blocked further processing of Azure Search tasks (until the failed task was manually deleted).
  • Social Media - Due to changes in the Facebook API and updated security requirements, the initial Facebook authentication and page publishing functionality in Kentico no longer works. To use the features, you need to apply the hotfix, and manually set 'Valid OAuth redirect URIs' for your Facebook app, and ensure that it has the required permissions via the Facebook App Review. See the hotfix instructions for details.


Hotfix 11.0.41

Published: Fri, 26 Oct 2018 06:42:27 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - If a contact was already subscribed to a newsletter with double opt-in enabled and attempted to subscribe again after the double opt-in interval had expired, the system did not inform them about the existing subscription. Similarly, calling the 'IsSubscribed' API method of the default 'ISubscriptionService' in custom code incorrectly returned a false value in these cases.
  • Page types - When adding system page fields to a page type (fields with the 'Field type' set to 'Page field'), the 'Default value' was not applied in the resulting editing form for certain system fields, for example 'DocumentMenuItemHideInNavigation'.
  • Search - Smart search indexes of the 'Pages crawler' type used incorrect URLs for pages of content only page types, which prevented content from being indexed (for example on MVC sites).


Hotfix 11.0.40

Published: Fri, 19 Oct 2018 07:32:21 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Pages - When a page field was edited on the Form tab of the Pages application with a value that did not meet the requirements of a validation rule, repeated submission of the data (e.g., moving to the next workflow step) incorrectly resulted in successful validation (while the original data was submitted).


Hotfix 11.0.39

Published: Fri, 12 Oct 2018 06:39:39 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - Resizing of attachment images according to device profiles did not work correctly. Resizing was performed according to the device profile active when the image was requested for the first time. The result was cached and incorrectly served for all other profiles until the cache expired.
  • E-commerce - Payments using the default PayPal provider failed if the site was configured to include tax in prices. If you have customized the tax calculation process by creating your own 'ITaxCalculationService' implementation, you need to manually update your code after applying the hotfix. When preparing 'TaxCalculationResult' objects, set the new 'ItemsTax' and 'ShippingTax' properties instead of the original 'TotalTax'.
  • Email marketing - On sites running in a web farm environment, duplicate copies were sent out for a portion of newsletter or email campaign emails in certain cases.
  • Scheduler - If a scheduled task was configured to run only on specific days of the week, the 'Next run' time was calculated incorrectly under certain circumstances.