Are you vulnerable?

Konsult wishes to improve the way we inform you about security issues. Transparency is a key to make sure your websites are patched and secure as much as possible. Here you will see all security issues fixed in Kentico 12 and all future versions.

The hotfixes are cumulative, meaning that the hotfix contains all the previous hotfixes for the same version. We recommend that you apply the latest hotfix available for the respective Kentico version you are using.  If you are looking for older versions, please visit https://devnet.kentico.com/download/hotfixes.
 

Claim My Free ꓘonsultation

Hotfix 12.0.80

Published: Fri, 07 Aug 2020 09:04:53 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - The visibility condition and validation rule components of the system's 'Form builder' feature contained a memory leak. Sites making heavy use of these components experienced severely heightened memory utilization, eventually resulting in an application crash.
  • WYSIWYG editor - When editing page fields based on the 'Rich text editor' form control, the system incorrectly handled virtual URLs in the 'poster' attribute of 'video' tags (added through the editor's Source mode). After saving such a URL into the content, subsequent edits loaded a relative URL resolved according to the application path of the administration application. Re-saving the field could cause the poster URL to become invalid, for example if the live site was running with a different application path than the administration.


Hotfix 12.0.79

Published: Fri, 31 Jul 2020 07:47:36 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Form builder - It was not possible to set a static 'id' attribute for the 'form' HTML element of forms placed using the system's default 'Form' widget. By default, the system always generated a random 'id' for each form to prevent multiple forms with identical identifiers from being placed on a single page. After applying the hotfix, you can suppress this behavior by setting the 'id' attribute via the 'FormWidgetRenderingConfiguration.FormHtmlAttributes' property. However, note that this sets the same 'id' attribute for ALL form widget instances. As a result, having more than one form per page is not supported under this configuration.
  • Page builder - If content added through the page builder (for example using a text editor widget) included absolute URLs with a domain matching the current site's Presentation URL, the URLs became broken after resaving the content. The system resolved such URLs into internal virtual context URLs ('/cmsctx/...') to work within the administration interface, but this value was incorrectly saved into the database on subsequent edits. After applying the hotfix, such absolute URLs are modified to relative URLs after being saved, and the system correctly handles the virtual context URL conversions. The fix does not address any existing broken links - these need to be fixed and resaved manually.


Hotfix 12.0.78

Published: Fri, 24 Jul 2020 08:05:17 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Payments using the default PayPal provider resulted in a validation error if the order contained a note longer than 165 characters. After applying the hotfix, order notes that exceed this number of characters are trimmed before being sent to PayPal.


Hotfix 12.0.77

Published: Fri, 10 Jul 2020 08:06:50 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - Free shipping offers with a 'Minimum order amount' were incorrectly evaluated without subtracting any applied order discounts from the checked order price. Note that after applying the hotfix, orders will no longer qualify for free shipping if their price does not meet the minimum amount after subtracting an order discount.


Hotfix 12.0.76

Published: Fri, 03 Jul 2020 10:57:24 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Pages - An error occurred in the language version comparison mode of the Pages application for users whose username contained certain special characters, such as a backslash (typically for users created via external authentication).
  • Pages - Certain scenarios did not work correctly if the 'URL pattern' of page types on MVC sites contained a page path macro that could resolve into a value with multiple URL segments, such as the 'NodeAliasPath' field. For example, detection of alternative URL conflicts did not work for the resulting pages. After applying the hotfix, the system handles such macros if they are the only value placed into the URL pattern.


Hotfix 12.0.75

Published: Fri, 26 Jun 2020 09:37:08 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security (Important) - Method used to resolve URLs was vulnerable to XSS - There were several occurrences of a cross-site scripting vulnerability when the system resolved URLs whose relative part contained a special sequence of characters. The vulnerability occurred in the administration interface, as well as controls that could be used on the live site. The issue was fixed by filtering out these characters.

    Workaround for all Kentico versions

    A manual workaround for this issue is to add URL sequences from "/(A(" to "/(Z(" to the <denyUrlSequence> web.config element. The web.config should contain the following:

    <denyUrlSequences>
        <add sequence="/(A(" />
        <add sequence="/(B(" />
        ...
        <add sequence="/(Z(" />
    </denyUrlSequences>
  • Pages - Users created via external authentication whose username contained certain special characters could encounter an error when viewing pages in the Pages application, for example in Preview mode or in the page builder edit mode on the 'Page' tab. After applying the hotfix, the virtual context URLs used to display such content store the GUID of the current user instead of the username.
  • Search - The system generated individual smart search indexing tasks for each page associated with a given product (SKU object) every time the product was modified. This occurred even for pages not included under any smart search indexes. After applying the hotfix, the system generates a single smart search task per SKU modification that processes all pages related to the product.


Hotfix 12.0.74

Published: Fri, 19 Jun 2020 07:51:14 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - The system did not generate a valid callback URL for external authentication providers if the site was running on a domain with a non-standard port number (different than 80 for HTTP, 443 for HTTPS). This resulted in an endless chain of redirects between the application and the authentication provider.
  • Form builder - The 'Checkbox' form component's 'Text' property did not support localization macro expressions.


Hotfix 12.0.73

Published: Fri, 12 Jun 2020 07:58:09 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Kentico API that relied on static contexts, such as 'SiteContext', 'ContactManagementContext', or 'CMSActionContext', did not work and returned empty values when called within custom asynchronous (async) methods. After applying the hotfix, the contexts correctly persist their values within async code.
  • Files - When a folder was mapped to another location using the file system provider API, moving or copying of files from the local file system into the mapped folder did not work correctly in certain scenarios. For example, if a media library folder was mapped to Azure Blob storage, the system did not create files when using the import feature to add media files into the given folder.
  • Localization - Registration emails sent when a new user registered on a Portal Engine site through the 'Registration form' or 'Custom registration form' web part did not have the correct culture in certain scenarios. Localization macros placed into registration email templates (e.g. 'Membership - Registration' or 'Membership - Registration confirmation') were resolved into a default culture (English) instead of the user's current content culture on the site.
  • Page builder - If a custom form component using the React JavaScript library was assigned to a property of a page builder component (widget, section, etc.), click events (onclick) did not work in the resulting properties dialog. After applying the hotfix, click events of React components are triggered correctly in page builder property configuration dialogs.


Hotfix 12.0.72

Published: Fri, 05 Jun 2020 09:25:38 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Staging - Staging tasks of the 'Break ACL inheritance' type were not logged correctly when the change was triggered by incoming synchronization from another server (typically in environments with 3 or more connected staging servers).


Hotfix 12.0.71

Published: Fri, 22 May 2020 06:41:34 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-commerce - When utilizing the 'Shipping option selection' web part in the checkout process on a Portal Engine site, an error occurred if a customer selected a shipping option and then later switched back to the default '(Please select)' item. After applying the hotfix, the web part no longer displays the '(Please select)' item after selecting and saving a valid shipping option. The problem occurred after applying hotfix 12.0.35 or newer.
  • Licensing - License keys containing domain names shorter than four characters were not recognized by the system.


Hotfix 12.0.70

Published: Fri, 15 May 2020 07:45:48 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • E-mail engine - If using a database server with relatively low-tier performance (for example an Azure SQL database with 400 DTUs) and sending extremely large numbers of emails, cleaning of archived emails could fail and potentially lead to buildup of sent emails, and even performance issues or crashes on the website. To fix the issue, either scale up the database, increase the database connection timeout, or lower the batch size for archived email deletion by adding the new 'CMSEmailDeleteBatchSize' key to the project's web.config file. The key's default value is 2000.


Hotfix 9.0.9

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Continuous integration - Child pages of linked pages weren't updated by the continuous integration solution when the source page of the link or one of its ancestors was renamed, moved or deleted.
  • Scheduler - Scheduled tasks with the 'Period' property set to 'Month' were not planned correctly (the system did not set a 'Next run' time).
  • Staging - When viewing staging tasks on the 'Pages' tab of the 'Staging' application, the titles of the listed tasks did not provide clickable links to the related pages.
  • User interface - When viewing the application list in the Chrome browser, the search box was pre-filled with the current user's username if the login credentials were saved in the browser and the Chrome Autofill feature was enabled.
  • Web farms - When running in a web farm environment, updates to the content of resource strings didn't invalidate the resource strings cached on other servers in the web farm. As a result, old resource string content was displayed until the cache was cleared for the given server.
  • Web parts - Paging didn't work when using the 'Universal viewer with custom query' web part if the 'Load individual pages' property was enabled and the 'Cache item name' property was set to a custom value.


Hotfix 9.0.8

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Attachments - When restoring culture versions of pages from the recycle bin, attachment files stored in page fields were not restored correctly.
  • Continuous integration - After renaming a field of a page type, the continuous integration solution did not update the serialized data representing pages of the given type (i.e. the 'fields.xml' files of individual pages stored in the 'CIRepository' folder).
  • Email marketing - When creating or modifying campaign emails, a duplicate scroll bar was displayed on the screen.
  • Macros - When calling the 'Where' macro method for a collection of objects within a text transformation, the method worked correctly only for the first item to which the transformation was applied.
  • Page types - When editing sites in the Sites application, it wasn't possible to assign or remove page types for the site on the 'Assigned objects -> Page types' tab.
  • Pages - Scripts used in the administration UI were loaded on the live site in anonymous sessions when not required.
  • Pages - Saving changes made to the Owner field of content only pages on the General tab in the Pages application caused an error.
  • Search - Page search indexes didn't work correctly if the indexed content included pages whose parent was excluded. When the content of such pages changed, the search index wasn't updated.
  • Web parts - 'Universal viewer' and 'Universal viewer with custom query' web parts caused an error if Paging mode was set to 'Postback' and the Pager position was set to 'Bottom' or 'Top and bottom'.


Hotfix 9.0.7

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - The SKU property of the 'ProductOptionSelector' control didn't contain a setter. Selecting an option's SKU with the control therefore required an unnecessary database request when getting the SKU with its ID.
  • Blogs - When configuring the 'Blog comments' widget, an error occurred after changing the value of the 'Site name' property. In general, the problem could be triggered by postbacks during the configuration of any web part or widget with a property based on the 'Blog name selector' form control.
  • Blogs - When the Blogs application live tile was added to a user's dashboard, the system could not retrieve the number of blog posts and caused an error.
  • E-commerce - Orders could have been created with a payment method which wasn't applicable when no shipping was required.
  • Email marketing - When using link tracking for campaign emails, the system didn't consistently store the links in lower case in the database. The issue does not affect the link tracking functionality and was only fixed for the purposes of consistency.
  • Macros - The 'HTML editor toolbar set' property of the Editable text web part did not resolve macros in on-site edit mode.
  • On-line forms - When deleting a site, the system did not remove the database tables storing the data of forms assigned to the given site.
  • Search - The smart search crawler does not index pages on HTTPS sites without a certificate from a trusted authority. If you need to use self-signed certificates, you may override the certificate validation by adding the <add key="CMSSearchCrawlerAcceptAllCertificates" value="true" /> key to your web.config.


Hotfix 9.0.6

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Automated tests inheriting from the 'CMS.Tests.IsolatedIntegrationTests' base class failed due to database timeout errors under certain circumstances.
  • Avatars - When replacing existing avatar images, the new image was not saved if uploaded directly after the old image was removed without first submitting the change.
  • Modules - After deleting a UI element with child elements, the child elements were not displayed in the recycle bin. Restoring the parent did not restore the child elements.
  • On-line forms - Email notifications about new data records submitted for forms and autoresponder emails incorrectly displayed time values for fields of the 'Date' data type (in addition to the entered date).
  • Pages - An error occurred when using listing web parts to display related pages defined through a field of the 'Pages' type (advanced content modeling) in combination with columns specified in the Columns property.
  • Portal engine - When using on-site editing mode as an editor without the administrator privilege level, content defined through the 'HTML envelope' properties of web parts was incorrectly displayed for web parts that were not visible.
  • Staging - If a page under workflow had the "Publish from" date set in the future, editing the page and moving it to the published step did not log a corresponding "Publish page" staging task (the task was logged only after the publish date). After applying the hotfix, the staging task is logged immediately, which allows synchronization of the page's published state with a set "Publish from" date.


Hotfix 9.0.51

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Security - Added security improvements to the application.


Hotfix 9.0.50

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Contact management - When the deletion of inactive contacts took longer than 1 minute, the next run of the 'Delete inactive contacts' scheduled task was not set, and the task did not execute again. To fix the problem, you need to manually execute the scheduled task after applying the hotfix.
  • Macros - Macros for loading component CSS did not work for transformations and web part layouts. For example: {% CSS.Transformations["custom.article.list"] %}
  • Web analytics - The 'Analytics browser capabilities' web part did not work and pages containing the web part generated logging requests that resulted in an error (CSRF exception). The problem occurred after applying hotfix 9.0.48.


Hotfix 9.0.5

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • API - Calling the 'TreeProvider.SelectNodes' method resulted in an error if the parameters were configured to retrieve multiple page types and a data column shared by at least two of the page types.
  • API - Automated tests inheriting from any of the CMS.Tests base classes failed when located in a project outside of the Kentico solution folder (CMS).
  • Authentication - Authentication of users did not work after setting the 'CMSUserSaltColumn' web.config key to a custom value.
  • Caching - Web parts containing a page data source (for example the 'Repeater' or 'Universal viewer') could lose their cached data in scenarios where a custom value was set for the 'Cache item name' property. The problem usually only occurred on sites with heavy traffic.
  • Contact management - When using a separated on-line marketing database, the action for removing all accounts from a contact group didn't work and an error was logged into the event log.
  • Controls - The 'MultiFileUploader' control displayed an invalid message in scenarios where the number of uploaded files exceeded the maximum allowed number set through the 'MaxNumberToUpload' property.
  • E-commerce - On installations without the 'On-line marketing' component, an error occurred when adding a new customer during the creation of an order in the 'Orders' application.
  • Email marketing - The 'Check bounced emails' scheduled task does not work when executed using the external scheduling service. Applying the hotfix disables the 'Use external task' property for the task on all existing sites. If you use the external scheduling service, you may need to manually disable the property for new instances of the task after creating or importing a new site.
  • Macros - When calling the 'ToString' macro method for DateTime or TimeSpan values with a formatting string parameter, the specified format was not applied to the result.
  • Pages - Restoring culture versions of pages from the recycle bin could cause an error if the first restored version was not in the site's default culture.
  • Scheduler - Scheduled tasks configured to be executed by the external scheduling service incorrectly displayed warnings about late execution in certain cases.
  • Search - Highlighting of keywords in smart search results didn't work correctly when using the 'TextHelper.OnBeforeRemoveDiacritics' event to customize handling of diacritics in a way that replaces special characters with a string of a different length. Note that the search does not highlight text with diacritics in scenarios where the search keywords contain the equivalent string without diacritics (even after applying the hotfix).
  • Staging - An error occurred when synchronizing "Update page" staging tasks on instances without an EMS license (Ultimate or lower).
  • Web analytics - When using web analytics, the system generated unnecessary SearchLogHit requests when searches with empty keywords occurred on the site.


Hotfix 9.0.49

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Email marketing - An error occurred after applying the subject filter on the 'Emails' tab when editing an email campaign in the Email marketing application.
  • Form controls - The 'Logic CAPTCHA' form control displayed the "(please enter the answer to the question or statement)" text even if its hidden 'ShowAfterText' property was disabled.
  • Search - An infinite loop could occur when building page smart search indexes if the indexed data fields contained complex HTML or XML structures.
  • Social Marketing - Facebook insight data was not collected for pages assigned to Facebook apps using version 2.7 or newer of the Facebook API (i.e. apps created after July 13, 2016).
  • Transformations - An error occurred when using transformations with a dot character in their code name. For example, if the system fetched a transformation directly from the database, the transformation's code name was parsed incorrectly and caused an error.


Hotfix 9.0.48

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - Windows Active Directory authentication could cause an error if replacement of forbidden characters was disabled for roles via the 'CMSEnsureSafeRoleNames' web.config key. The error occurred if import of AD domain groups as roles was enabled and the authenticated user belonged to at least one group with a forbidden character in its name.
  • Caching - After exporting and importing a page template containing the 'Output cache dependencies' web part, the keys specified in the web part's 'Cache dependencies' property were processed incorrectly and combined into a single invalid line.
  • Continuous integration - If the restoring of continuous integration data to the database failed, it was difficult to diagnose the exact cause in certain cases. If the process fails during the composition of an object consisting of multiple parts, the error message now contains the file system paths of the related files.
  • Hotfix - Kentico instances installed from setup files with hotfix 9.0.40 or newer applied did not work (errors occurred due to missing assembly files).
  • Media library - When sending emails from Kentico (for example in the Email queue application), images added to the email content from a media library with resized dimensions were inserted with a relative URL, which caused them to be unavailable when viewed in email clients.
  • Web farms - Changes of license keys were not synchronized correctly between web farm servers, which could lead to logged errors in certain cases.


Hotfix 9.0.47

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Authentication - When using certain external identity providers for authentication (for example Access Control Service), the system incorrectly handled situations where the identity provider returned an empty username claim. This caused an authentication loop for the client, which could result in the system generating multiple user accounts.
  • E-commerce - When using the search in customer selection dialogs (for example when manually creating new orders), the system only displayed customers with matching last names. After applying the hotfix, the search also uses the first name, company and email address customer fields.


Hotfix 9.0.46

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Custom tables - When using the Items property of custom table objects in macros, the data was incorrectly cached. For example, when using the 'GlobalObjects.CustomTables["<customtablecodename>"].Items' macro, the latest data was not returned.
  • Data engine - An error (System.NullReferenceException) could occur in certain cases while performing some types of operations on sites under heavy load.
  • Facebook connect - Due to changes in the Facebook API, an error occurred when a user attempted to sign in through newly registered Facebook authentication apps. After applying the hotfix, the 'Biography' field is no longer offered when configuring mappings of Facebook user profile fields (the field is not available in the Facebook API).
  • Pages - If the 'Check page permissions' setting was enabled, certain pages in the content tree could be incorrectly hidden even though users had sufficient permissions to view the pages.
  • Time zones - Date and time values were adjusted incorrectly if the value matched the start or end interval of the active time zone's daylight saving time (after conversion to the server time zone). As a result, the saved time did not match the selected time.
  • Web farms - When using automatic web farm mode, servers were deleted from the system while restarting. As a result, the system did not create file synchronization tasks while the server was missing. After applying the hotfix, servers always remain in the system for 24 hours after shutting down (unless running on Azure Cloud Services).


Hotfix 9.0.45

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Alternative forms - When editing a primary key (ID) field in an alternative form, the field editor did not allow selection of any form control other than 'Label'.
  • E-commerce - Custom ShippingOptionInfoProvider implementations could allow customers to get into a state when they could not finish their order. If customers changed their information or content of the shopping cart causing that the already selected shipping option was no longer applicable, customers were prevented from changing the invalid shipping option and could not continue with the checkout process.
  • Form controls - Enabling the 'Has depending fields' option for form fields caused an error in the resulting form when using certain form controls (Category selector, Department roles selector, Report selectors, User selector, Variation selector).


Hotfix 9.0.44

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Hotfix - An "Unsupported DLLs version" error occurred when applying the hotfix on some instances that were upgraded from older Kentico versions.
  • Pages - In certain cases, adding an existing page under workflow to a campaign caused the loss of page type data entered on the page's Form tab in the Pages application.
  • Security - If the system disabled cookies for a user via the 'Simple cookie law consent' or 'Cookie law consent' web part, an error (CSRF exception) occurred for each post request (button clicks, form submissions, etc.). The hotfix resolves the problem by changing the cookie level of the 'CMSCsrfCookie' cookie to 'System'.


Hotfix 9.0.43

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Caching - When loading data with caching enabled, the system performed multiple load operations in certain cases if running in a heavy-traffic environment with a large number of concurrent requests.
  • Contact management - The '{%OnlineMarketingContext.CurrentContact.ContactGroups.Count%}' macro for counting how many contact groups the contact is a member of did not resolve correctly because the 'ContactGroups' property of the 'ContactInfo' object was cached incorrectly.
  • Dashboards - Removing the UI element representing an application that was added to the system dashboard caused the dashboard to be blank. After applying the hotfix, the dashboard correctly displays applications after one of them is removed from the system.
  • E-mail engine - File attachments were not displayed when viewing emails sent from Kentico in the default iOS email client. The problem occurred after applying hotfix 9.0.29.
  • Form controls - When used in a form, the 'U.S. phone number' and 'Upload file' form controls generated a hidden <label> element in addition to the label in the form, which caused accessibility validation to fail for the form's output code.
  • Import/Export - When importing a site package with objects requiring a greater license edition than the one registered on the instance, a license limitation error occurred even if the import package contained a sufficient license key. After applying the hotfix, the system checks for suitable license keys in the content of imported packages.
  • Marketing automation - The 'Comment and move to specific step' action did not work when manually moving contacts between the steps of a marketing automation process.
  • Marketing automation - Marketing automation processes got stuck when they contained a Wait step whose Timeout settings were set to a Specific day with the date or time in the past.
  • Web analytics - In certain cases, the value of the 'Settings -> On-line marketing -> Web analytics -> Excluded IP addresses' setting was not applied until the application was restarted.
  • Web farms - When creating a scheduled task in a web farm environment with the 'Create tasks for all web farm servers' option enabled, the scheduled task was not created for the server processing the request.
  • Widgets - An error occurred when inserting inline widgets into newly created unsaved pages.


Hotfix 9.0.42

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Cultures - The 'Preferred content culture' user setting was ignored when using Windows authentication to authenticate users.
  • Debug - Enabling the file system (IO) debug through the information message on the 'System -> Files -> Debug' tab incorrectly enabled all types of debugs instead of just the file debug.
  • General - The system incorrectly performed set and remove session operations when handling requests using read-only session state, which caused errors (visible in the event log).
  • Hotfix - The Hotfix and upgrade utility did not display its buttons when opened on Windows 10 with 150% DPI scaling.
  • Metafiles - An error occurred when viewing metafiles on the 'System -> Files -> Metafiles' tab if the '(global)' option was chosen in the Site selector.
  • Staging - When the system synchronized pages under workflow with the 'Automatically update page alias' setting enabled, an error was incorrectly logged even though the synchronization was successful.
  • Staging - An error occurred when processing update and publish staging tasks for linked pages that were assigned to a category.
  • Staging - When deleting pages with the 'Redirect old URLs to another page' option, the system did not create staging tasks to update the page alias.
  • Users - If a screen lock occurred while impersonating a different user, the unlock dialog incorrectly required the credentials of the user who was being impersonated. After applying the hotfix, the unlock dialog accepts the credentials of the original user.
  • Web farms - When running in a web farm environment with a load balancer using non-sticky sessions, package files uploaded in the import wizard were not synchronized between servers, which could prevent the import from working.


Hotfix 9.0.41

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Microsoft Azure - When using Azure Blob storage to store files, the system performed an unnecessary number of requests when checking whether a file existed (for non-existing files). After applying the hotfix, information about non-existing Blob files is cached.
  • Widgets - When working with widgets properties, the system was not able to identify properties as inherited from the parent web part in certain cases, leading to duplicated properties in the configuration dialog and incorrectly applied property settings.


Hotfix 9.0.40

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Amazon S3 - Updated the Amazon Web Services SDK for .NET to version 3.1.9.0. After applying the hotfix, the Amazon S3 file storage can be used with all Amazon data centers.
  • Media library - When using an external file storage provider (for example Amazon S3), uploading of media files caused the application to become unresponsive for the given user while the upload was in progress.


Hotfix 9.0.4

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Modules - The 'Save as new page template' dialog did not work correctly when editing UI elements in the Modules application.
  • On-line forms - Entries in fields of the 'Date' data type incorrectly displayed time in addition to the entered date on the 'Recorded data' tab of the form editing interface. Use the 'Date and time' data type for recording both date and time in one field.
  • REST - When generating authentication hash parameters in 'Settings -> Integration -> REST', the system produced invalid hash values for certain types of URLs.
  • Scheduler - An error occurred when loading the list of scheduled tasks if any task had its "Period" property set to "Once" and was configured to be processed by the external scheduling service.


Hotfix 9.0.39

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Marketing automation - When a culture with a full localization pack was set as a site's 'Default content culture', macros containing 'Contact' objects were not resolved correctly in marketing automation processes for action steps placed after the Wait step.
  • Performance - The system loaded SQL query text to memory even when the SQL debug was disabled. This could lead to heavier memory usage and reduced application performance.
  • Staging - If a page under workflow with child pages had its page name changed and the 'Automatically update page alias' setting was enabled, processing of the related page staging task caused an error.
  • URL rewriting & SEO - In certain environments, the system handled 301 permanent redirects incorrectly if the target URL contained special characters. The redirects resulted in either an invalid URL or a page not found error.
  • User interface - Applications using a tree-based layout (for example the Pages application) could be incorrectly rendered if the tree contained a large number of elements.
  • Users - When working with the advanced search filter in the Users application, the 'Lock reason' selector incorrectly became disabled after the search was applied to the list of users.


Hotfix 9.0.38

Published: Wed, 13 May 2020 08:57:19 GMT

Be sure to check our Hotfix instructions before starting the hotfix process.It might save you some trouble afterwards.

Fixed bugs:

  • Caching - When using Output cache for pages with running A/B or MVT tests together with the 'Redirect invalid case URLs to their correct versions' setting configured to a different value than the default 'Do not check the URLs case' option, a blank page was displayed instead of the cached pages.
  • Form controls - The 'Has depending fields' setting did not work for fields using the 'Uni selector' form control with the 'Selection mode' set to Single or Multiple text box. The resulting form was not refreshed when the field's value was changed.
  • Search - An infinite loop could occur when rebuilding page smart search indexes if the indexed content included certain types of strings with HTML comments.
  • Settings - An error occurred when changing the code name of a custom setting key in the Modules application, if the setting had a site-specific value assigned (in the Settings application).
  • Users - The user impersonation dialog incorrectly displayed user accounts that were not enabled.